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I 

OPERATING SYSTEMS 

This invention relates to operating systems , ; More purticuiaffy^tlrias. 
invention relates to systems, methods and comptffpr program^ for running: . 
multiple operating systems concurrently. . ' \ ■ i 

5 For some computer programs, it is critical that steps in thejjjpfrogSata rare, 

performed within defined time periods, or at defined! times- Examples of such 
programs are control programs for operating labile cellphones, op for 

operating private branch exchanges (PBX&) ot cellular base stations; 

:. - -• ■ , h * • . ; " ** 

Typically, the program must respond to external '^fcnts or chaiigea of stai$ in . 

10 a consistent wayj at or within a certain, time nfter titb event This/is refetred tb 

as operating in H real time". : - 

For many other programs; however, the; time tal&en to execute .-the 

program is not critical. Tnis applies to mosi common computer pro-ams, ; 

including spreadsheet program, word processing programs, pay roll packages: 
15 and general reporting or analysis , programs. On <ihe oilier hmih r wJffiUfcfhe. 

exact time taken by such programs is not critical; in moat cases* would 

prefer quicker execution where this Is possible. 

Applications programs interact with the cpmputetf* on which they riin; 

through operating systems. By using the applic^l^m^progranimmg interface. 
20 (API) of the operating system* applications pinbgram can be. written- iiv a. 

.sr. . ... . * ■. . . j 

portable fashion, so that it can execute on differenticomputerH with dif fbreox 
hardware resources. Additionally,, common opemting systems such as Linux 
or Windows provide multi-tasking; in other wbrds, they allow several. 
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program to operate concurrently. To do so* ihey provide soliciting; m mhhr 1 * 
words, they share the usage of the rescwi&es of the compute* between tW 
different programs, allocating time to each in : accovtlancd 4vitlr a si&edtrimg;:- * 
algorithm. Operating systems of the this kiitd are :veiy [widely f uscd> but th^yC 
generally make no provision for. running: real time'.applipa^p^/«md ! feh^y- 
therefore are unsuitable for many control or coinmuxidc^uonS iask s. 

For such tasks, therefore,, real t&yte.op&rj^ beea 
developed; one example is ChorusOS (also know as Chbrws): ami icsv 
derivatives. Chorus is available as open . = source = software- from:. \ 
fatp://www.^ _ ^ 

and Jaluna at 

http://www.jaluna.com/ ;.. 

It is described in "ChorusOS. Features atid ' ^ch&ccktr^. Overview v 

Francois Armand, Sun Technical Report, August 2(M)1; 222p\ avatlaMe from: ; 

'•■*••* • .*'.*!* • * .' ■ *•* 
http://www.jaluna.coirt/deveic^ : ' 

These operating systems could ais^.jbe used to rlin .bifer tyftes ojt 

programs. However, users understsindably w.i«h , to be able to run the vast 

• : . 

number of "legacy" programs which are written fwr geaei atpiiipose operating 
systems such as Windows or Linux, without having to rewiate them.to oii : 
a real time operating system. ' , " 

In US 5903752 and US 5721922, w nrtempc fs ma^ to inccnpoijatii i 
real time environment into a noit real time 6pera,tinj* system "by providing a 



real time multi-tasking kernel in the interrupt handling ^nVirdhmem of- the ttptir 
real tirae operating system (such as Windows}. . 

It would be possible to provide a "dual boot" systomj a&bwing^he user ; 
to ran either one operating system or the other, bat : there; are -many casss 
where it would be desirable to be able to tun a "legacy" pttfgtsnn at the saws ■] 
time as running a real time program. For. example/ :mlec1^mmtahieatibn?t 
network infrastructure equipment, third generation mobile: jpfionea and atlser •; 
advanced phones, and advanced electronic gaining-. e^$i^;-toty : .KW#m 
both realtime applications (e.g. game playing graphies) and non-reajti&e 
applications (game download). 

One approach which has been widely Used fc. ^en^attdn , \ Typicttily s 
an emulator program is written, to run under the "i^:tinM:o^*ic^ittg sy^t^ri, 
which interprets each instruction of. a program written- for a general pmpose 
operating system, and performs a. corresponding seizes of Inatractions iahster! 
the real time operating system, fli&weyer, smoe tfnfc instiucttbrji is always : 
replaced by many, emulation places a hBWi^ t A^^\i^'^''comff3^ ?fffd? 
results in slower performance. SimUar probfl^^ 
based on providing a virtual machine (beg. a Java ^ yltt wJ maijhme). 

A further similar technique , is described in tJS :59957^5 (YodtfReii), 
Yodaiken describes a system in which asmulti.mfeing; raal-tipie operating 
system runs a general purposeoperatirig system ; ajj one pf its risks,, pre- 
empting it as necessary to perf<mn real time tasks- 
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A more similar approach is that of ADEOS (Adaptive Domain .. 
Environment for Operating Systems).; described in a : White 3?aper\.afc-; 
http://opersysxom/ftp/pub/Adeos/adeos.pdf 

ADEOS provides a nanokerriel which ite intended afrnongst otfieir' 
5 things, for running multiple operating systet&s although it: appeal's xjfritly -to,; 
have been implemented withlinux; One proposed use of A15EOS wosTto 
allow ADEOS to distribute interrupts to RTA1 (Rea^rimo . Appliccitio>v : 
Interface for Linux) for which see: I ' 

http:/Avww.aero.polimiJt^ ' 

10 An object of the present invention is to provide ^;impto^ed sy^teni> 

* ■ • ■ • • > * * * 

method and computer program for running miidtipfe ^peSating [. .systems 

simultaneously, even" when the systems itre designed for diffisrcnt purpose*. 

in particular, the present invention aims to aljcjw. one of the ^operating «y$i#ra :: 

(for example, a real time operating systems): (x> pftFform;jY^ihot|t d|Hurhftace, 
15 and the other (for example, a general purpose operating kysljem) to ^rformjas 

well as possible using the remaining resources oti the cong>uier. : ' 

Accordingly, in one aspect, the present invention-^ 

which multiple operating systems ate slightly ^modifietJ.pnci providfcd with a 

common program which schedules between them,, in Which om of tfre' : 
20 operating systems (the "primary" or ^critipaT. operating system) fcavoira*! 

over another (the "secondary" or non^ritfeaj operating '•syqtbm!i:'--I^ferab]yv' 

the invention allocates hardware prefeirenjiarjy to t.He critical operating' 

i* . • ■ 

system, and it denies the secondary operating system 6r systems access which 



would interfere with that of the chjical operating -system. ! Ptgfoa&y, . s 
present invention uses the criti^ opening -system drivers f lo assess shaded- .. [ 
resources, even if the access is requested by tBe ^ecoiicUiry operating sysmtii:- 
However,, in no senseis the crirical operaUng system M ftmnkK w tins ^conda^y 

5 operating system, as in US 5995745; each system ignores U>e othtfr* minmiig - ... 
alongside it and only communicates with tfte common . ;pmg?am 
{corresponding to a nanokemel of ;the. prior art) wtiiicK brokers* thie acct&fs i© 
the drivers of the critical operating System. j.. 
Other aspects^ embodiments and -i fipfenied fe^ies, witfr. 

10 corresponding advantages, will be apparent • from tiie following i^scri^on, ]. 
claims and drawings. 

Embodiments of the invention will nbw be de^rifoeU, :»by w<iy of V. 
example only, with reference to the accompanying drawings,, tn wSich; . ! • ' • 

Figure 1 is a block diagram showing; the elements, of "k cotnjfiftter . V ; ' 

15 system on which the present invention can execute? 

, ./ - . ■ . ?. ; r ■ ■" " ; 

Figure 2a is a diagram iUustratii^ RttftHwap^:m The " 

prior art; and 

Figure 2b is the corresponding diagram* iUustritmg tfte arrangement of 
software according to the present embodiment; ; • y 

20 Figure 3 is a flow diagram Showing tbe-Ktagoai^ft tfrei&ng the software, 

of Figure 2b for the computer of Rgore i; 

Figure 4 show the components of a hardware resource, dispatcher : 

* * . * • . *■ . 

forming part of Figure 2b; 
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Figure 5 illustrates the program used ; in a boot and * Jiutraiisasion . 
sequence; • 
• Figure 6 illustrates the system merwdry image -usQcliin the: ipooi. pr-f;* 
initialisation process; 

Figure 7 illustrates the transition- from ;a primary -qfi^tiag'6y9hwWa.'': 
secondary operating system; / s " 

Figure 8 illustrates the : transition from a s^conicfery bper&iiig ^y&tenii xo . : 

: . : * ' ' \ i • - ...... . : - 

a primary operating system; . . ; : 

. Figure 9a illustrates the corarnuntGation between ^pptibotipn^ r^fEung ; 

on different operating systems according tatbe in v^tfioh;. 

Figure 9b illustrates the cpmmuniiiatiion between agpiigat^ai nirimrtg ■ 

on different operating systems on different computers accdrijihg- to the 

invention; 

Figure 10 shows an example of the primaiy,:^ : 

virtual address spaces; : , . ; 

Figure 1 1 shows how the memory ecHntext is swftc&in&ih i|me> . ' \' ' 
Figure 12 illustrates the visible part -of tlic nanokiiiroe icon text;, aticl: 
Figure 13 shows the execution flow and how the tmnokernel sr&ok is . 

used to allow interrupt handling and primary ken\eJ :re-encrat^e. 

Introduction 



•' 7 . . • 

System Hardware 

A computer system Kb which- tke iyAtc^- fe^^liwlrttf 100 coinages a- 
central processing unit (CPU) t0J2, kith as a Pepti^:4™ GPtJ availably fi^ra 
Intel Corporation, or PowerPC; <DPLr . a>^l^>le ftotf* MotoB>lj* (thfe 
5 embodiment has been implemented on both)V^#led via a system bijs 1:04. 
(comprising control, data and address buses) to >; ''twd't^^y : AtomOT? <SftOfc4> 
chip 106; one or more banks of random access memory (RjApvfy chips ( 1G8): 
disk controller devices 110 (for exadiple kb&br SCSI jcohtrdllers^ 
to a floppy disk drive, a hard disk: drive; and addifetiut removable medki 
10 drives such as DVD drives); one or more:, inpti^outpin' pohis < : 1I2J #or* 
example, one or.more USB port controllers, asifl/orp^iallel: port cdRa-oilers:ft?r.* 
connection to printer and so on); ah. expansion bijs £14 for bus c^kmectlion 
external or internal peripheral devfefes (for example 1 the PCI bus.)r» and^otiher 
system chips 116 (for example* graphics and; spuiid devices), : E^arnple^ 
15 computers of this type are personal comp^tero" (t*G&V ahd v^rksiations^ 
However, the application of the invention to other cotnpufing device^/siich' as 
mainframes, embedded microcomputers in ^ conWI: systemsv and. PDAs : (in 
which case some of the indicated devices, suiih;: as ^ dj^k :dd^; cohtroHers ra^y 
be absent) is also disclosed herein, 

20 • : / • ./'■! : : " : ' * . [ 

Management of Software t 

Referring to Figure 2a, in use, t^e coib^itWi X00?: of &igtfre 1 -runs 
resident programs comprising 'opers^gisy^ (which provides 



the output routines allowing access by tbe:GP^..t6 ^h^i&fcr,^^ in 
Figure 1); an operating system user' mterfecfe 6ii prb^fatibi^ teyer (such 
as X Windows); a middleware layer 206 (prbvidi^ 

protocols such as, for instance, a TCP/IP stack); anid ^ ipplicaftohvS 208a,:2G$b, 
5 which run by making calls to the API routined ayate&i -. 

kernel202. - \ ' . 

The operating system kernel ftm a ^utnlk^r:^! ta&ksr, itt p&rti&l#n' 

■ scheduling (i.e M sharing the CPU •an^assbci^ed r^sduto&s /between: 
different applications which are ruimlng); ! 

10 ■ memory management (i.e. allocating raernajcyl ton'efecli. task; grid,; where 

necessary, swapping data and jpirograrafe out: <iE meimtfry addiori to disk, 
drives); V 

■ providing a file system; • 

■ providing access to devices (typically, $Utoijg& ^rivenO;.- ; 

15 - mtermpt handling;* .. . •* . pi 

........ . . . • J J. ■ ' ; '. 

■ providing an applications, pro^htirfing. ihterfrice enabimg^ the. 
applications to interact with system .res6urc^« and usars.- 

The kernel raay be a so-colled ,J moi^li.th% icerhei!' .a& for Unix, in 

■ * m • i .*' 1 : * % . • 

which case the device drivers forri part of (hi? itself.. VMtematiy^y, it 

20 may be a "microkernel" asfor Chorus, in which pass the. device drivers act* 

separate of the kernel. . , 

• ■ .****..- • * 

hi use, then, when the computer .1.00 .is sijsuted* .a bootstcap- program 

stored in ROM 106 accesses the disk contrpU^. IjtO to tead the fijeibatuilmg 
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part of the operating system from permanent storage op- disH-ifcto.&Atyl 108, 
then loads the remainder of the operating system ■ isiito an dt^ibfrR^M 108;; 
The operating system then reads any applications ftom -the <ti$E drives via the 
disk controllers lib, allocates space in RAM! £08:$or eachJ ohd-stqr^ cash, 
application in its allocated memory space. 

During operation of the application, rile scheduler pait of thei • 
operating system divides the use of me .CPijr between .tbA' cuWer^nt 
applications, allowing each a share of the 'timeion tbje p^ocess?r accopdihg to a 
scheduling policy. It also manages use of ti1$ j^mory- resources, by 
"swapping out" infrequendy used appUcations >>f.;datja. (i.e.. renii^vmg theln:. 
from RAM 108 to free up space, and storing them tin diik). 

Finally the Routines makingup the appltcad^ns^ogrammkg interface . 

• * i . * ' ' * . • . - ' 

(API) are called from the applications, to execute fum^ons. such jas'input m& 
output and the interrupt handling routines of the Q^er«tlag systefln. irapanA t& 
interrupt and events, ! 

• • . ' :* • ' . \i • • * 

«•* • 

" * ** 1 * 

Summary of Principles of the Preferml Embodinwnt 

In the preferred embodiment, each opefatihg -system 261,. 202 to be 
used on the computer 100 is slighidy re-written,, aifid a new I6w-level p'rograin 
400 (termed . here the "hardware resource dispatcher- and ${>inedmes known 
as a "nanokemel" although it is not me kernel iii an operating systeiri) is 
created. The hardware resource dispatcher 4(X) is specifiero the*paraciriar 
type of CPU 102, since it interacts with the proe^'sscip. The versions pf the 
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operating systems .which are modified 201, 202;.are : ?iJso tfeis which we 
specific to the hardware, for reasons Which will >e4#me apparent/; 

The hardware resource dispatcher 400 -is not itself ' ^ opera^ng^. 
system* It does not interact with the applications p*Qg?am$ atalk imd has -vbty 
5 limited functionality. Nor is it a virtual machme^r emulator; .^requires the 
operating systems to be modified in order to cooftisfaic, even : though" ft MeoVes [ 
most of the processing to the operating systems ihemselvea,. wttmng thmi : 
native code oh the processor- 

It performs the following basic functions: 

. • • . . *» 

.*.•*'*;** . . ■ • ■ * . . * • 

10 » loading and starting each of the mqltipfc beating systems; : 

■ allocating memory and othea: sy^tenivrespurces ;(» fe&ch of ihe: openil mg 
systems; . 

" • ' ' • . '- . : ' " . ; ' -.. • "r 

» scheduling the operation of the. dtfterant/ of^rating iyftfiehw '(Lfc.- • 

dividing CPU time between them, And managing the. change? over : . j 

15 between them); 

* providing a "virtualised device** method; of indHfect ac^es* to those: 

system devices which need? to' be. shared by : the operattng systems " 

("virtuaUsing" the devices); 

■ providing a communieatloris; link; between the'ojteratir^ systems, ttf., . 
20 allow applications runnhig. ton different :<*£$raitag \ systems- -to 

communicate with each other. - 
The operating systems are not treatbdVekju^Ply.' by -the ^mbodtmetit: 
Instead, one of the operating, systems is §eleeuia an the •'critical 1 ' operating 



systems (this will be the real time bpecathijg system.^ She or $ach -Qthefr 
operating system is treated as a "nbn cikM^ : cfr : -?j^94asjr'' . ApeiS^ \ 
systems (this "will be the or each -general purpos^ : o$e*atinji syitfein suchtufr 1 
Linux). 

When the hardware resQurre dispatcher is;'4esighed, it i^ pwiyidedA^itk 
a data structure (e.g. a table) listing the avaitablfl system rssquroes (i.ei. 
devices and memory), to enable as. many system. deVic^s as pos&bte to: b|.; 
statically allocated exclusively to one or other 6f.^ oj>cf£itirig* sysfemas. 

For example, a parallel printer port raighe h§ stoueaUy ajaprfa'tesk tcvih^ 
general purpose operating system 202, wbiefe ; bfcea^mnL^^^Jitijmfi 
which will need to produce printer output Oh the tfiheir hah^anl l^^cH^it^ 
line adapter port may be permanently allocate ! to "the refit tj^e[ o^Fa«iag 
system 201 for communications. This static alloc^ion ot" devie^fr 'vvherei^dr ; 
possible means that each operating syntetp can: tv%£ : Us 
access statically allocated devices without -fc^ing; ;• to cad 1 jba. hurdwAFg 
resource dispatcher- Thus, there is no loss in .^cation speed in abcesaid|f - 
such devices (as there would be if it.acted.aa a virtpoi fft^cbine or t^nuIi^oi:} r . : 

In the case of system devices which tons* fcfe shared, the hariiWaris : 
resource dispatcher virtualises uses of the 1 deYictk by : ; the • aontCri^cal: - 
operating systems, and makes, use of thi? :4t ivers 'sij^plleif with *he criC&& 
operating system to perform the access; Li^wise r : fqj! totej*opi bitodlifegv' .tte 
interrupts pass to the critical operating systerir ifiiteitupt ham rauttaei;, 
which either deal with the wtermpt (ii it w$s tntended fiKr the critical 



operating system) or pass it back through the hardware resource {dispatcher -for 

• - ■ • ■ * / »■.*"• * > . ■ .... 

forwarding to a hon critical operating system (if Uiat was 'where it -wiis \ 

• - 

destined). * ' : V ' 

On boot, the hardware resource disp^her.is fi*& loaded^ -and h ihcjri' 
loads each of the operating systetris in a pi^etermint^'s^perice,, starting with 
the critical operating system; then following with ■ tfe^or each secqt*4#ry 
operating system in turn. The critical operating system is- MUie^cI the 
resources it requires from the table, and has a fixed memory ? sp^6 : to.'opfeparW: 
in. Then each secondary operating system in larM*'4&KH^ 
and memory space it requires from the available remairiiiig^resotimeis. 

Thus, according to the embodiment, the fe*bwces\y#ed "by ih& 
operating systems are separated as much as jptiy$jfcally possible* fry alloeating' 
each its own memory space, and by providing a; static jUltioatfou of devices' 
exclusively to the operating systems; only- devices: ? (bf which Sharing 
essential are shared. *. v •; .; 

In operation, the hardware resource dispatched scheduler iiitoW the . 
critical operating system to operate until it has conclufiifed its i,a&ku, and ilifcn; 

passes control back to each non critical opca^ting,sy$tfem. ift tun*; arrtil the ntiu 

. ■ 

interrupt or event occurs. 

The embodiment thus, allows 4 mialti. operating System e^tonibtatf-to 

• ■*.••** > 

which the operation of the critical operating &yatem : is virtuaify. unchWgwi 
(since it uses its original drivers, and has first 'access! to any interrupt and 
event handling). The secondary operating. systems* are afele to operate 
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efficiently, within the remaining processor tftnfev«Sww in rinosf fcases : 4it2y:w0l 
be using their own native drivers,; ^#iwJ^lkvG^ :W. many of 

the system devices. FinaUy, tWl^dws^ 
small program, since it handles only lii^ 

5 resources are conserved. . •« 

The preferred embodiment is 'also ebondmfc to : crbafe; irad ^frai^tSittt 
because it involves only limited changes tb ^ta&nfeyd eorhitieft^^ 
systems which will already have been ad^ted to ihjfeip^lcrfar ^^«ter>JtK?: 
Further, since the changes to the5 ope^^i!3£i^ sy^«nTts^•^fr^ ^dnftned .to , 

10 architecture specific files handling iriatters; iter intebu^t; hfiuclIiWg, . mi : 
configuration at initialising time, which mterfaC9 with the ip^tiqujiai v type of 
computer 100, and which are unlikely to chattge.; as fr^nei^y ^ th^-rest <rf 
the operating system, there may -be'lftfte.o* nb vVork* to>do^S»^a^^feffi new 
versions of the same operating system* to worfe in a tfetuXtipta ^pesau$g syjrterii 

15 fashion. ' 

t '' . ■ ■ 

: * i • • • '"*"!• 

Detailed Description of the Preferred BiriM^WH^ . ■ £ 

Tn this embodimenCthd co:^ 
processor (e.g. a Pentium processor) •tod s a?^t^te : P^et^fc 75&t&&MG& 
20 Instruction Set Computer 6i "RISC';'), eo^piija: /feifefc 3<)2): ' the? 

operating system 201 was thelCS operatingisys^ifthe real *{ime : mierokerabt 
of Jaluna-1, an open-source version; of the |fi^ generation *>f &e€|K>rai&OS 
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system, available for open source* ; *.;#ee downl<>ad from 
http://www.jaluna.com). -r .:■ 

In step 306, the ChorusOS operating syateih.ternel 201 .is modified Tor 
operating in multiple operating system mode» : which is-, treated in the Same 
way s porting to a new platform (i,'e. writing a pew goarci Sj*ppbtt fotcik#ge ca 
allow execution on a new computer with -the. same ; £FfcJ* Nt different sj^-TQ r 
devices). The booting and initialisation- sequences. &re mocjiiiied lo. alld'Cw :tfie 
real time operating system to be started by thefrs^^are reisourct^ dispa^ihei;; 
in its allocated memory space, father than . sbiytii^ itselfc The .hardv^ari^ 
probing stage of the initialisation Sequence is modeled, to prevent the crftical 
operating system from accessing the hardware fc^emrces which are Signed 
to other secondary systems. It reads the static hardware altoc^uon table iron* 
the hardware resomce dispatcher to detect the devices available to it. 

Trap calls 2012 are added to the critical 'operating: : systcm^.to ^feteet 
states and request some actions in response. 'A. Irap caJl: here means: d call 
which causes the processor to save the current context (e.g.- state oi regimes) 
and load a new context Thus; where virtual rriempiy uddrfensfog is usedk the 
address pointers are changed. 

For example,-, when the real time . operating system SOI • reaches an end $&\ ri P '] 
(and ceases to require processor wsourcies) cotitroj^an be ^ passed hack tb^ the . 
hardware resource dispatcher, issuing the ^idJ^! .trap 'saC to stars, rhe • 
secondary operating system. Many j*rocessors> have a "haJT Instruction. In 
some cases, only supervisor-level dode (=e;g: operating systems,:' nor 



applications) can-include such a "hatf * institotidn. .lathis eh^Qdizne^ all \ 
the operating systems are rewritten 

them with an "idle" routine (e;g. an e^ecu^iqa thi^ad) whicfeM whan "catted; 
issues the "idle" trap call, '■''['' • .' : 

5 Some drivers of the Board Support t^cik^gc ?kre specialty " : **dapte& ? to 

> * * * *, ■ * . - * ' 

assist the hardware resource dispatcher in vJtt^&itjng ihe "shiM&d' device^ fcrf 
secondary operating systems. *. ; 

Additional Virtual" driver^ 2014. arfc.*^ 
system, appear to provide access. to an input/^utpni fr/Cty ^U8 v iiUowii^ data-m 
10 be written to the bus. In fact, the virtuai : Ns driver 20l4 : sase^i^^nory -as/a 
communications medium; it exports some pr%atfc memory £fprnnpiit date) s*nd 
imports memory exported by :other systems (for output; dafta>. ft* Uus . way:*: th6 
operating system 201 (or an applic^oh iunt#rig on^ 

pass data to another operating, system (or ap^licitrtibn: roaiqii^g- on it) a$ if they 
15 were two operating systems running on sepaiiafc? nfrwhines emutectbd By' a M^i 
I/O bus. 

The secondary operating system 202 -iytis: seie^&t|(stfep 308) as Lim»x> 
having a kernel version 2A 18 (kep.308). ! , 

In step 310, the second*^ operating ^ m 

20 allow it to function in a multiple operati'i^s;^ which: is 

i * * ■ * •* . * . 

treated as a new hardware architecture, i As ..Ip Step ; 306;. ths boot ami 
initialisation sequences are modified, to aUo\jf the secon<Jaqr .dp^rajing syst<an 
to be started by the hardware, resource dispatcher; and to . pifevjirrt it from 



i6 ; : 

accessing the hardware resources;, assigned to the otfiersyslteB^rais IspocVJSed;. 
in the hardware resource dispatcher table.. As hi step 306; trap! wik,2fi22 wfe. . 
added, to pass control to the hardware.resouroe dispatcher 

Native drivers for shared system devices- are' replaces! by-.new driven* 
2028 dealing with devices which have been vii^alifc^^ ihacdwiifi? . 
resource dispatcher (interrupt controlled I/O bqs bridges;/, ififc flysjeifa timer. '.. 
and the real time clock). These, drivers execute a call- -t# vittual'. ideYi.eb . : 
handlers 416 of the hardware resource dispatcher in order: w-p^*c» sotne 
operations on a respective device of the computer J 00, . ^Efch wtjpR^vijtuial " 
device handler 41 6 of the hardware resource dispatcher is rpah^d !wi.t|i.A 4 *pie^ v ■ 
driver routine in the critical operating system, ^ wHietius. ai^gkf feo iairecf;ly 
interact with the system device. Thus, a. call to a. YirtuaJ;\deyice hajhdleris 
reiayed up to a peer driver in the critical system for : that vi^aU5Bed:4ivi^ in 
order to make real device access.; As in step 306, read and ^ite^drt vers 2024 
for the virtual I/O bus are provided, to allow iinter^pecatitjg : ' : $yaicm 
communications. 

The interrupt service routines of the secondary pp&^ivg s : y4tom are * 
modified, to provide virtual intemtpt sei^iee which 
responds to a respective virtual interrupt (in the form of 'i ?itU i^sb^d by .aa 
interrupt handler routine 412 of the hardware resource dls^atahkj^-atid not to 
respond to real interrupts .ox events. Routines of the secondary operating 
system (including interrupt service, routines) are also mocjlified $o. remove-, 
masking of hardware interrupts (at least in ajj except eritabal.opa^t ions), iln 




that way, the secondary operating systems .1202, . , ^ ire thej!eft>re p«e-emplrdWe; . . . 
by the critical operating system 201; m other woitte, ifce; secondary i-iperatji%' : 




**** xd .o^ ry 
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system response to a virtual interrupt can ifcelf l?^ *mtermpte^ hy :iiiusbri • 
intermpt for the critical operator ■ : ." 

■ masking/unmasking events (interrupts aiprobcsspr I&yel); : : ! 

• . • * . * : 

■ saving/restoring events mask statu*; 

» identifying the inteirui^ . 

■ masking/unmasking interrupts at ^ource : .iey«^ (iritemiTat/;^ut^lI^^ 
devices). } - -.**; 
New virtual device drivers 2028 are added;; for accessing cfeeosi^ted : 

hardware devices (the I/O bus bridges, the sysr^m>co?is61e 4 the aysteim- ttaiatf 
and the real time clock). These drivers execute % pall to -vimi|tl.. d£vic# 
handlers 416 of the hardware resource dispatcher! IpHjrder to write <lata : K>. or 
read data from, a respective device of the computer :1O0/. 

" ' . ! i , 

To effect this, the Utrnx kernel 207 is mbaiMin this eititlqiJin^nt by 
adding new virtual hardware resource cUspatc&e?^ 

i386 and nk-ppc for the 1-386 and PowerPC varNi&ij With # smiHA -euridpbr'fi^ ' 
modified files. Unchanged files! are reused their existing ^mi: -The 
original sub-trees are retained, but not used. /.[ 

In step 312, the hardware : resource, dispatcher. 4^)0 is Wfit ten. 
hardware resource dispatcher comprises code w6ich provides toufetries tfafe 
following functions as (as shown in Figure 4): " 

■ booting and initialising itseif (403); . . ; 



» storing a table (403) which stores & list of. ^rtfvvare ^^urGcs : .(y ; fevi^s ; 
such as ports) and an allocation catty irrilicaUng to i^hich Qp^muh^ 
system each resource is uniquely assigned* . ; : 

■ booting and initialising the critical operating ^y&cein thai cd^^eu.tW : . 
hardware resource dispatcher aUocadotiitab|es!(464>; '. ; • | 

■ booting and initialising swond^ opemtitig-S^st^nis; t&)ty 

■ switching between operating systems (408); ; « % •' j 
» scheduling between operating $y stems (410)1 • 

• handling interrupts (using the rieal time, ^?jatinig; 9yateni: inieirdi^t : 
service routines, and supplying data where becessiuiy. to: ti%$ 
interrupt service routines of the secondary- operating. &yst^s)-{432>:' 5 

• handling trap caUs from each. of ^ 

■ handling access to shared devices . from •■ the se<^ndaty ^p^m4^ 
systems (416); . ; : 

• handling inter-operating system c^ninii^ii^ti<*nftf <)n : the vittuftf; VO jte • 

(418). I " * • ;>'. ; ■ ■ I : 

In ftirther embodiments (described below)* ii^idy i^o .ptovi^a js'y^ito J 
debugging framework. ; j • . / 

. . ■ * 

Operating system switcher 408 . • ! 

In order to switch from an operating bysrt^tt> iio txnother, thev^eraciftg 
system switcher 408 is arranged to saves the. u Qohtetf* ; ^ the current: ^lues 
the set of state variables, such as register values % of the cuiirenciy ex^outoig: 



operating system; restore the stored context of -a^pthfel^q^vnting ;s^sl^^3 : ; audi 
call that other operating system t6 r^coniiTifihce bx^yft$a : where it jeftvo^j 
Where the processor uses segments of meni&ijy^ ^"vi^al; ^ *indi*^ 
addressing techniques, the registers or. data stmcaires Ktonnglhfr pomiwsv.to i* 
the current memory spaces are thus snapped: For Sample", -tW opemtitig! • 

systems each operate in different such niernory spaces, ^ekned by. thc-coft w« . 

*.--* * 

including the pointer values to those spaces. 

In detail, the switcher provides: ; 

• explicit switches (e.g. trap calls) from the cujirenfry itontsv5ng *to the;A^i \ 
scheduled operating systexm, Wh6n^^ ; ' ; 

• implicit switches from a secondary bper^ 

operating system, when a hardwiare ititemipf oebsrs. : ' * . -« " r 
The switches may occur on- a* trap- call or .tf'rerti'or vqrtuaT- in^rmpt,; as^ 1 
described below. 

Scheduler 410 

The scheduler 410 allocates each 6pexat]pg 's^sierri aome of the . 
available processing time, by selecting which secretary oper^ng .system '(if- 
more than one is present) will be switched to newt, after exitirig another! 
operating system. . In this embodiment, each is seized iiastodr onifixed priority; : 
scheduling. Other embodiments ailo^ 

or guaranteed minimum percentage of processor tirne, aife &so 'contemplated- 



herein. In each case, however/ the critical ogeratfng ^$t^m is ^^s^ngifid;; 
only when in the idle state. . 

In farther embodiments, -the enseal; jc^rajinj;^ . 
inform the scheduler 410: when it/tn^be." pt^ jflTv 
5 secondary operating systems" sopie aeoess^ t& tjfeie : ^U\to:^fc&^ 
higher priority then the tasks still riitii^g^ 

example, the interrupt service roiitia^^t^ ctonoj;i ' 

be pre-empted, so that the critical opening IsystetD: c^iV ^Vvay's teap6i?d tq : : . 
external events or timing signals from 
10 operation. ;. ; ':}' . V;; 



Handling virtualised processor exceptions ;. 

The hardware resource dispatcher is. 
handle processor exceptions (e.g. .CPt^mte):^ 
15 asfollows: ; r : \ \ ' 

• firstly, to intercept processor. eHf^ptibhs tfrrbf^li - rfi^crifie^ 
system; ? : . ; : 

• secondly, to post a correspond^ oh^^oi: mdfe ; 
secondary operating systeiifts;Ho sforb ;-ehrt: ;jkI§f^ : ki&fe,' .wheft the 

20 scheduler next calls that se^ttdajq^ tpi^yall^ th&< 



operating system; 



< regit ae 
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thirdly, to mask or umtiask- ^y pexldihg ^^ 



secom 



Virtualised exceptions are typiipid^ . ! -* ; "-. 

♦ Firstly, to forward hardtop devfce%&^ - . . v 

asynchronous processor exceptions) ;|o*see§rtda^ tigfe&ftng *ystl^jt? 

+ Secondly, to itnplemenk . ihterHDp^iat&g :*yjste^i crbi^mie^ipfe £ );e. \ 
interrupts generated by 1 one systenx^ - : 
delivered as synchronous exceptions). • "v 



> i 
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_Trap ^U;handleiL414 



The operation of the trap cilf handler .witt^^^ ; ; 

following description. Its prunary 1 :puiipb«$er is : tt>; aMfew >$fte -scheduler \ apd : 
switcher to change to another- opejratiiig system ^ho9( f H* jmi&'lu&ii^; tfiiid: 
hence does not require CPU' resources). ' ^ : ;-)a^il^uiM CQle is la '$&yb&& . ; : 
hardware resource dispatcher services 6iiciij&y& ^ftirii c6TODte ;ftii' usjMn. * ! 



i • 



. h 



Virtualised devices 416 ;! . ; 

As indicated above, for 
20 bus bridges, system timer, re^tiin^^teck>: >a ^^fr?i^^$^g ^ysi^ v p^\af)e»' h • 
device driver, forming a set of pe^l^el^cliavei'S w. '^eyice The reaitt m# 
operating system -provides the &i : *er ! use<3 ' td^iu^jj^y • $$ees£ - the djavice; arid 
the others provide virtual dfevice : 'drivers; I* 1 ;/ 



CJJL' JLlf' 
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The shared device handler 416 Of tfefe'Wdwaie "refiouiW dispatcher : : 
provides a stored data structure for each device, gor access %:aiU peer? device 
drivers of that device. When , the device Tis to! be ^cas^ed, or h&s lbfcfcn. : 
accessed, the device drivers update the data sldr^a in ;tbfi.ctowpbAi*^tote 
structure with the details of the : access. The^eerdrivere 1 li^cro&^iiii^rujim ./ 
(as discussed above) to signal an event to. notify i other psCT drivers that & at - 
the data structure has just been updated :■*!.; : . 

The drivers which are for accessing intend the- 
virtualised exception mechanisms discussed: ^ove . to ^aridi® iia^wace : 
interrupts as follows: ■.;.*;;..':. 

• The critical operating system device ;<kivfcr Indies ^hatfrtware . 
interrupts and forwards them as ' virt'U^iseij ^ >xceplro£is4\to t*ie ' 
secondary peer drivers; ' ' \ f]:/ 

• The secondary operating system enisbte^j^ 

using the virtualised exception masWdfe: and. unsmikskfog routines 
discussed .above. «. • . ." * . * * 

I/O buses and their bridges .only hay fc.-xju be shared if -<the d^vxc^s 
connected to them are not all allocated to the^sat^e 6^ -Ffcos* m * 

allocating devices, to the extent possible, 4e Vices . : co8cieotefj to the same VQ. t 
bus are allocated to the same operating syslefn. | Where shikriiig terbec^ssaay; : 
the resource allocation table 404 stores ^ 

allocation of the resources on the bus (-address s|ja^, :mtewipt Ifnes and I/O 
ports) to indicate which operating system-has whicft -rei&urcesc. 
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Implementation of the erobo^im^nt : 

Finally, in step 314, the : cdde for the hardware [r«$w.>uh^ : ^pMcfeea 
operating systems is compiled as a dastri^u^bfe bmq^y cornier ptp^mm 
product for supply with the computer 100.. \. '\ 

A product which may be supplied in ^c^Qmic© with m '^jpect - ogTiUtife *. 
invention is a development jemvironment pro^ 

program which enables the user to select diffepem qpsrathig; -«y?iteJH*s -tb fee 
used, build and select different applications for. each operating ^y^ciT«i : "eni^ 

.**...•■**" 8 ■ ' ' T- i 

the application and operating systems into a deliverable podu^, i^d r prc>vide 
for booting of the operating system and launch ..*f e^ei:utubte:-biii«rieA of #ie 
applications. This is based oh, and similar! to, "dip C5 ^dev^topitie^ 
environment, available from www, jaluna.com. 

"**••. 

Operation of the Embodiment During Booting a^rt lt>iti^isati<^n . \ - . 

Referring to Figure 5, the : boot aftd irtitiaiisation pr6cf&ssg$ aic^oaJ^g 

to this embodiment are perfbrmed:as follows. 

• . - . ;* v ... .... v. . . . * :i . . . / 

A bootstrapping program ( f, trampqline ,f ) 4022 \mwQ#.intV$ ROM lj06 

is executed when power is first supplied; wtiich wans ^progi^ 40^ .wliich 

installs the rest of the hardware, r^m'eei dt^ 4D0 : . {mo 

memory* and starts it, passing: as ah. argument a- - (lata stmcture: (m desctiiied 

below) describing the system image Mpfigiiratrofq* \ t 
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The hardware resource dispatcher initialises a $eri$ ttee w&kch may be 
used for a system console. It then .allocates mi^n^ 

system environment) for each operating system ih turn, starting ^ffi/ttifl... . 
critical operating system. The hardware resqurde : dispatcher therefore aete as ' . ;\ 

5 a second level system kernel boot loader, . . ! . 

Each operating system kernel then goes tfir&ugti its own inmdUs^iOT?i: : j. . 
phase, selecting the resources to be exclusive. U> tim operating system within . ; : : 
those remaining in the resource allocation table ^404 % And starling its iaifiai- ; ; 
services and applications, 

10 Figure 6 illustrates an example of a allocation 

forming the system image. A : position within memory M aJ located vsrhea the : i 
hardware resource dispatcher and-opferating systemic are:<^tpptied4 The; set '6i : 
these positions in memory defines the system imag?, shbvyp In Figure 6. TSfe . ; - : 
system image comprises a first bank of rqerqor^ 6GE2 where die h^dw^e ' . 

15 resource dispatcher is located; a:second/bank <tf ni&rrfory" SQ4 ^whe^lii^ re^l : ;. 
time operating system is located; a third baafe'tr? memory 60$ where the ^ - 
secondary operating system islocated; and, m this embodiment, ajfoimih Tbeittk 1 3 : 
of memory (60S where the RAM disk con tabling a f dot file system of the 
secondary operating system (Linux) is Ideated* . 

20 This system image is stored in persistent storage :<e.^ read only 

memory for a typical real time device such as Mobile 'telephone or lflBX>. 
The remaining banks , of memory are available to aj located to each 

,.■"."* ■ . . 
*. * *•.*-• • 
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operating system as its environment, wltfiin.wftich tC-'can. a -ltfad -ajnd; miv 
applications. ;~ 

Allocation of Memory for Operating Syst^mCoritext ; ! 

Whilst being bootedv each operaTirig sysuari then ;uHocate&;Yg . : 
complementary piece of memory in order to?jri$et the total xizeTe^aire^ 'fcyitjjr 
own configuration, Onee allocated to m operating; system, bante ofivtew®*?':. . 
are managed using the physical memory umnagfcnua&f scheme of tjife ^peralQftg 
system itself. All other memory is ignored by the operisthig syistem,. /■ 

Virtual Memory Allocation 

Each operating system is allocated separate vfctu$ nieatidry ajp^fe^itp; r 
make sure that operating systems c^ot-interfei^.with &iiCft other p£ 'fk& l 
hardware resource dispatcher: The. User adtk&& 'spaces (i;©; -.rang&> 
Supervisor address space (i.e. range) 6f each of the oper#t^ viph' -' 

" . ■ ' ' 5 ' 

allocated a different memory management unit (MMfcf) context id^mrlrw;" 
(ED), which allow the differentiation o^!difftemi''^ts&rul mcmibry : spic^s. -'. 
having overlapping addresses.. The MVlUs^ccmtext £D$ -are, ^sigi>e4,ta cach. 
operating system at the time it is : compile^ . * 

This solution avoids the need to fluilvrranstation Ic^li^s (TI^V^yMh 1 
the hardware resource dispatcher switches } between. dif%em >*pei^4ttg* : 
systems, which would take adiditibnal tim$i. l&t<ia& the:Witi:h;Ovar bettiuiish 
different operating systems is ^accomplished b^ sto'Hng tfte : S^il.ec^M-H^- 



of the currently function operating systerrv, and recalling th$ pt^pusty stared. . 
MMU context IDs of the Switdhed Wo operating syj*&jbi. . ; 

* . * * « * * .. ■ 

Allocation of Input/Output Devices 

As indicated above, the aUocatibn table ^.iadica^fii tfbich 'ifevi^s. 
are allocated uniquely to eaich opbxating. aystercU ^aitH»i?> : fe&le* : ;4C)4 
indicates which input/output resources (Direct; > Memory* :.Ae^6as : <DMA) ; 
devices, input/output ports, interrupts and so onj!ti|e allocated: ^lusively; to 
such devices, thus allowing a direct use of tl^^e resotirce^; wuhout %iy 
conflict. Typically, many devices- are-d^ reduce; 
potential conflicts substantially in this Way; > • ;: j • , ; : 

The distribution is fcased on . the • oper^ig ^system fepixSg^rMJOn^ 
scheme (for example, in I the case of CS; tUe devices tfpeeifiedlift thedevibe 
tree). They are allocated to operating systems -4Vfeapt ame, : a«d in CkhJfer ^f. 
booting, so that the critical operating system has; hist choice of ith^ avtiSfebl^ 
devices in the table 404 and the secondary bpeni^mg systenis tit. mvrt iecfei-ye 
their allocation in what -remains. As. each operating system inKiiiiiJiec^ 1 it 
detects the presence of these devices .and uses ^iis native drivers foe tfitroi 
without interaction from ihe hardware ttesoiutce dispatcher, • 

"Hot" Reboot of Secondary O^^ »! 

• . * * * . 

According to the present, embQdiibentSi;. it -i§ pdss:thle. ^to reboot a 
secondary operating system /(for example h^w^^ 



operating systems continue to ran. Because, of itife . separation.-' of . dystsni 
resources* a crash in the secondary operating 

the ongoing operation of the critical operating system (w othei* swpu^ary 
operating systems) and the rebooting . of ljhat-&C^ ittieh 
not do so either. * \. 

- to the embodiment,- the system "stop 1 ', and-'s"^ 
hardware resource dispatcher assist, inc shutting down and • rfe^taitittg ^He- 
secondary operating systems from wifchift the crttfcat opmitibg system. 
Additionally, the hardware resource dispatdh^r. sav^s. : a: ! ?x>pky of £ho original 
system image, at boot time; in persistent i^rao:^ hardNvairp 
resource dispatcher allocated memory. As . a» t ex^jflep ' hoi' : zest&ci.:m- : t1) I £s 
embodiment is managed as follows: 

At the time of initially bopting up, the liard^urc resotffc& (faptf&k&r 
saves a copy of the secondary opefating aystems. inemory linage: 

The critical operating system, includes a sofftvare watchdog itttfe?^ 

.*.."•"*• • "■ 

routine for periodically monitoring thife Ajrictittifing of the second iiry : operating 
systems (for example, by setting a timeout and-waitiug for an^veot tingled 
by a peer driver running in the secondary operating systems so as-io ahec'kvfdr 
their continued operation). 

If the critical operating -syste-nr ttet^t&-fhar-^/9f^n^T-'9P^^ng 
system has failed or stopped, it triggers "stbp* and ^jfc'Wait 1 ! Erap cftlls Cof 
the secondary operating system) to the h^dware resource dispatcher. . 



The hardware resource dispat^ertfteivresteives *he sij.ye^ ^opy.of tHe. J -' 

' * i * * \ ' ' ' 

secondary operating system ima^.aridVefeoots^it fifomiin^pry ttj> rested; • j^:- 
was found that, on tests of an embodiment. tMux : second^ cypekatiHg: - 
system could be rebooted within a few seconds ^ tV^m lpc^ng'wp. • i * J 

In other respects, the hot restart builds upon th$i av^lablb -In ikivp \C!HcmEi9: ^ 
operating system, as described for example In: /' ; -j i 

"Fast Error Recovery in (^ORUS/QS.^ ?«&tool0^ ¥< • 

Abrossimov* R Hermann. J.C. Hugly, efr al,.C2io^' SystearU; fei^. ^fehiq^V- 
Report, August 1996, 14p. available from: * ) / . . : ; +\ 

http://wwwjaluna,c^^devel^er/pa \U J 

Run-time Operation • \r- *! V[ 

The operation of the embodiment. 'bfi^i^tiiAl^l^fm ^i^-1^^i&^-3G^^l 

now be described in greater detail;. \ ' : ' 

Having been booted and initiakaed;': the. vefcl lijfle' eipbiraticig. systgmi £fc : 

running one or more appHqftfi6n$;20^ -IJ^V^v 

stands for Universal Datagram Pirotocoi/^^ 

operating system is running seVeiral -aftfMcati^ cxamfclS 
word processor and a spread*ai££t)^ 
. microkernel 201 and the second^ opfcrai^ 
with the hardware resource dispati^er ^ 
dispatcher interface which comprises; . : :! . 



• a data structure representing the operating, sy&je.^ Sqontteft t&/fiie*sei;uf 
state variables which nepd to be .tfayed'i&d-iSMtGtaE^ in oi^jr to. swj&h.to 
the operating system)* and the h^dw^e^p^i&o^ ^ : 

• the set of functions which execute in tiie oparattng sy&km ' -vnvi?ow?i6nv x 
and ' ^ ' . 

• the set of trap call routines which ^ "execiufo^ in/^^ taavdwjste'.ii^ii^ 
dispatcher environment 

If neither operating system requires process time (jf&r 4tfc3i^pta^ p$\h 
have reached "wait" states) then the h^dw*tr& Source • diiptti&her 1 400 
switches to the critical operating systems idle t|ite$& ih, : whic9fi : U^mts; aj\. 
interrupt or event, Thus 4 interrupts can bfe prbbes$e# immediately b# : th;e 
critical operating system's servicing routing without needing t«>i'sw*i'ch.Jto the 
critical operating system first. 

At some point, an interrupt or event will oecuit; s T?br fe'xample/a imcket 

". * . .» s .• • • : . I 1 

may be received at a data port, causing an interrupt to ;aUow it to be:^rocies«ed 
by the real time operating system executing^the tipp>tf> stack: Altefcnatiyely, 
a user may manipulate a keyboard or mpiise, =emtem@ an intiorrupi to ope?nre 
the GUI of the second operating system' 202 for tottr^icm. with; the: wn& 
processing application 208. Alternatively, the syKf^A cibck rnay mdieate; that 
a predetermined time has elapsed, and that an appiteatkm sfrdufcl .continence: 

* * -" ... 5 - .'"•■•.*" 

re-execution t or an operating system function should ^jtecwtev 

The critical operating system servicing 
interrupt, as described below. 
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Interrupt and Event Handling 

If hot already in the critical operating system} fte ^dW&e resource 
dispatcher interrupt handler 412 icaU$ : the cfpeitdtfrtg sjfcttenEL ifrit^ef 408. to 

5 switch to the critical operating system; and tijcsrthe M^emipt hanger rouihte 
412 to call an interrupt service routine (ISR) in ;ftje o&ftical dper^ing: systeitt . 
201. If the interrupt is intended for the .etftieal abating system/ ;ei|htw . 
became it is from a device uniquely as^ighed ^ :Uie cntipal bpet^ing" sysifefii 
or because it is from a shared device and has 4 "©Srttei preder^nnin&d .vai®»y 

10 the critical operating system ISR takes the aotif^.nej^SjaFy.to^liai)dle 

interrupt. If not, control is passed back to 'ifce ^dwar<-re^ \ 

Critical to Secondary Operating SysfetaiF Svfitcb 

Referring to Figure 7, for tbis -oxanip&v-'i^^y^i^ U <>xicutin|f 

'. • -t * : ■* : ' 

5 " 

15 thread 702 of an application 207a running oti-[ the critical :qj)Sra^ng ■•sjRtaK: 

2oi. • i : " 

If an interrupt occurs, a critical qpfer^&ig s^stfchi thteMirpt sservSce^ 
routine 704 performs interrupt servicing. On teiTOitfj&iott, control pass'iar b$c& 
to the thread 702 and any others execu^d: by ^ critical 
20 operating system 201 . When processing of all threads: complete, the cdt ict& . 
operating system has finished executing, it yschedufefc its ""idie' r thready 
Accordingly the "idle" trap routine id the -critUytfi operating' kystem issues m 



"idle" trap call to the hardware resource* diajDafeh&r 400 i . TKel Iwdw^re. * 
resource dispatcher then executes a routine which d^s th&fqllbwldg: • 

• If the interrupt handler 412 culi^itly Mm sotr^ ai&rfccL x&ixii& \- 
interrupts, these are forwarded by: the/intenupV ^h^^ey;>l : 12" t<i die.j" 
secondary operating system. - : - • . ; : \ : *\ 

• The hardware resource dispatcher bpeftttiitg sysfcttil sphecluler*. 4-i0:> 

selects the secondary operating \sy^rii 292 ,to estou^;- th© OS.if 

* * ■ . - . . .•• * * . • ■ 
switcher 408 then saves the current Contest tfypi^aily^^pwt^s^r ; 

.MMU and status registers, instmctdcm iwid .stack '; pouitefe;) thfc. 

critical OS ^ontext stomge area 

execution context 708 for the secetK&ey t^er^Ung, system; 202; and. 
writes them to the registers concerned; ... 

• If there are virtual interrupts for tfo nectfeuiary d$ concerned; the i 
interrupt handler 412 calls the relevant* interrupt -service routine -7-10: 
within the secondary operating systesn, which seicvScef the. int^inrijfpi- S 
and then, on completion, reverie toihe exet^io^^ of tffcev 

secondary operating system where? it. lei\ioT^ : : ^ . : 

*.-•.•* . . 5 

Tf the interrupt handler 412 : cu^ea#^ 
the hardware resource dispatcher operafltig: switcgier : 408 caiises secqneUvry : : 
operating system to recommence e^cutioia ^h&re it 1 left ^ofjjj;esing : th^3U)?ed \ 
program counter value within the restored Vip^dring; sysWrconteat; ici this, 
case at the thread 7 12. " ■ , ,: - 



Thus, after the critical : operating ^stei3b : 20X bus p^foraied 
function (either servicing its own appHc^M; $x\ s^Mc^ov s^rvicii^ ^n 
interrupt intended for another operating :4ystetfiV ( the hardware-. Tes&wjsifc 
dispatcher passes control back to the next secondary operating -systerti 20^^ 8$ 
determined by the scheduler 410. . ' ■ ' 

Secondary to Critical Operator ^ 

Referring to Figure &, thfc process of .miifisfiwrHtg fw*a* the- sccoriWy . 
operating system to the critical operating syStfefe wtlt'noHw :he disclose^. Id 
this case, the system is executing a thread 712 b£an ap^iiciigoti 398a i^nhiii$- 
on the critical operating system 202. * . : - 

When a hardware huemipt occurs; die hardware /te$ompe : ,: ci^p^G^* : 
starts the OS switcher, to save the secondary; operating system cokitext in tfeb 
context storage area 708. It then switches fo *l?h& ptfmai7 :; ppeir^ng^ sy^^m 
201 v restoring the values of state variables fromrlite: context^foragc ania 7@&, 
and calls the interrupt service routine 704 of tfee priinary s bpCf4iing systefti 
201. After servicing the interrupt, the scbeddtW- of she* priimiif^ opefaiiajrg 

system 201 may pass control bacfc.frora theiiSR:^(H ,to» any ibread 704 wftfch 

5 * ■ 

was previously executing (or thread to be ex«SUfeii)> 

When the ISR and all threads are ipr^ri&sed*' the ptifftaFy op^xaiiog. 
system 201 passes control back to the h^w^;r e ^ m ^ : ^^ a ^ ec > whiift 

switches from the primary operating system 20 f (saving thei state, -variables iin 

* • * . • ■ * 

the context storage 706) and switches w .a <#lect$& sfcQondaj^ opiating 
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system 201 (retrieving the state variables from tiie cqiftext storage 708), in the '•' 
manner discussed with reference to Figure. 7 abriVe; 

Interaperatfng system coraraum^ 

5 The virtual bias routine cooperates with t^yirtihil bus cinv^ 5xi euch 

operating system, It emulates- a' phy&cat- bite . oditnectmg itfj^ci^r&nug-'- 

systems, similar to Compact PCI (cPCI) boiuxte;; plugged : irUx* fa*. -cPCl . ! 

backplane. Each operating system is prOTid^wiifc a driver iroutitt© .fox the . 

virtual bus bridge device on this virtual; bus, allowtng^the np^tii^ sysfiea>5... 
10 and then- applications to communicate by any d^^e^pxotpcoi.ifrpua raw "data ; 

transfer to a full IP protocol stack. ' : 

The hardware resource dispatcher vit^iai bus is hashed km -sbiiired ' 

memory and system cross interrupts prihciplesruireiJidy: discus&d ahPY^ In. ■• 

detail, the virtual bus routine 41& emulates the C\S.bMcom T^DhrSys^mn ^Whkb 
15 defines virtual bus bridge shared devices, ^towmglhe expire -<sii^>gL<tf ' : 

memory across the virtual bus and triggering 1 ht qr^^efermpta itjco other •! 

operating systems: . - 

Each virtual bus driver, in each secondary operating •pysteh^-crentSfS 1 

such a virtual bus bridge in the .hardware 
20 repository at startup time. By doihig. so, it expoirti (shares) a m^ion of its : 

private memory, and provides a way to raitfej iriteraijptis within fts' hosting 

system. 



Thus, a virtual bus driver of a fust operating system sends 
second operating system by; 

• writing into the memory exported by \a.£eejr virtual bus dtiveft of tlk; 
second operating system, and then; 
5 • triggering a cross-interrupt to notify that data- ar# availableVto the p&$i] 

bus driver in the second operating system, ; 
In the reverse (incoming) direction, the VixtihaJ bus driver i.propiigafes[ 
incoming data up-stream (for use by lhe : application orTontineibp which ix-M 
intended) when receiving a cross-interrupt indicating ^Itarsiich datii.frave hfcfcTi 
10 stored in its own exported memory region- 

. s - ' . - : . . » ■* • • • 

Referring to Figure 9a, an application 
with another 208b running on the same operating system; 202* cart d<y &ii 
through that operating system. An application. 2^7b Wnnmg bit efic kjperaU^ 
system 201 which is to communicate ^ith another ?0Sb running qb a defers*! j 
1 5 operating system 202 does so by writing data to tiie virtual bus. using ibe AW 
of its operating system, which uses the virtual: bu^ driver roulme *o p^/ the 
data to the other operating system 202, which propagates/. it from its* virtual 
bus driver to the application 208b. 

Referring to Figure 9b, the chang^pi. ^6osst^y to .jrugrate this 

20 arrangement to one in which the first and 1 secbud- Operating &ystkn#.runc>B 

..*.■*• 

different computers 100, 101 are smaH; it lis niiBre3y;'ttecess^.t0 change the 
drivers used by the operating systems, so that: ifcey .use -drivers f&v a real bus 
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103 rather than the virtual bus drivers. The system .is .tferetbm. in^d^ *$®t$ : 

i . . * • , * 

independent of the hardware on whij?h=it .operates.'.. •/ %;j 

Communication across tte^^ 
available to applications, biit caix;alsd be usfed ntiarnaUy byrl&e .^^fttuiig ; 

.' :: :• ... . -y. yl . •■' ■ :••...=..••': i .. 

5 system kernels, so that they can cooperate in $h.e' implementation ^ services . 

distributed among multiple operating systems-. ; ?Stoia# '^striW^'fibcvfeea' ©J? ~- ■ 

**.•*..*. i ' * *» i 

• • . * *• " t ! " i • 

this kind include software watfchdpg used for System hoi restart ^dfecus^c^ 
above), or a distributed network protocol stacfc; - : 

' • t ' - ■ . .•*■*" 

10 Debugging 

In a preferred embodiment^ ttie; ^hardware {to'soue6c: d^j$att$j^ hair:-& . 
second mode of operation, in.whichiU ;aofe as i i debuggin^ag^t ; : ; ; 

According to this embodii(xem r in flbfc -seconji j^odb,! ^:j:K^r<^vai^ ! : 

resource dispatcher can communicate via a sfefial^eom^^ \^k\y ' 

• • --.V - ''-.[ ) ! i '* •:* ' 

15 debugging software tools running on another machine Jtfc& "hoat >; jiractnn^): j • 

Such debugging took provjde a high Iwel i^mjihicaf tt&? vfttetji^'- 

(GUI) to remotely control the hai^iware n^sqtirqti r (/ift^atcher. Tfte/h&rdwate 

resource dispatcher virtualised e^ej^don^ 

defined exceptions ♦ The user casi-tli^itenQsi^. 4s^b d'emtrat : bc^^e: tiardw^k^. ^" 
20 resource dispatcher behaves incase of processW-i^us&piidn!?, and mU& display -\ 
machine and system states, to ^nalde: diagnosis ^oftod^ 
or problems. 



The user can select one or mote suck pfaptessoi tskc£p)ioini;&s the baste . 
for a trap call from an operating system to the -IttRMrage resourced dispatcher . ) 
On the basis of the selected exception whetfiht'otf each jex^pkioh ^eoms j 
during execution, the operating system i^.st^gf^^nwi executes. Ihe\tr^" : caji;.i 
to the hardware resource dispatcher, which thfftiis^e^ 

enables interaction with the debugging {tools; on Mb toost. The xxi&r am-tho^; 
cause the display of the current states of the -^te ^variiibles '%uefc&s the stack*-! 

t . . ■ • u * . i s • . , i 

" * *. •*. .*" • : * • * ■*"•.*' *' .**-•****.•» 

pointers, program and address counters) and/pr thoe content' of ^dlt^ted-^lockj 
of memory. The user can specify either that, ii given t'ype 6f exception Should"; 
be trapped in a specific operating system to b|e debugged; tijr tfj^.thjey should 
he trapped whenever they occur, in any operating: systern.. Tn ^ponse, the; 
trap call is implemented in just one, or m alii ■opetJating systems. $he- usetfcaiv; 
also specify if a given type of exception is m be normal l^ 'iozy^(t(^;t^ili^'^ 
system when restarting execution or singly t^<£e&. • :' ; 

Because the hardware resource diiipatcJrer cxecjutes in it$ ovwb! 

environment, it is able to debug much move of an opQratihg^ystepi thati couid? 

■ * : * * • / * ! - 

be done from within that system. Importantly, no code is* sfiar^b&tw^en thej 
hardware resource dispatcher acting: as a defetg J ageni an4"ttie ^jkeinS being 
debugged. This allows, for example, die dc*»^gihg.i>f even: kenail .loW teVef.. 
code such as exception vectors or interrupt Sertoli $011 tines;! 

Some other aspects of tbfe overall <^«sr/tapg^t) dtfbisgg^^ 
according to this embodiment arevsitnltar-: to- th&se for tl$e. Chprus and CS 
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debugging systems, described in the do^uirjeait '"£$' I # Xtefmgpug QxiJdb" 
published by Jaluna, and available at: 

http://www jalunaxontf dcrc/cS/htn^^ -tifin J 

5 Secure Architecture 

It will be clear that the embocKmeiiti "de^ribc^ -above' givo: a firm 
for a secure architecture. This is because this deconttixr.y ^petatiug ^y^t«^rt^ on 
which a user will typically run insecure; apf>Jientioh$, : is. in&rtated fmm- 
specified system resources, and accesses thetiV only through :tjie hattlware 
10 resource despateher (and the drivers of the primiity operating system).. *Ffcn$; 



security applications can be run on the prirna^y operating- system whi&V for 
example, perform encryption/decryption; allow : *ic<tess .to*' * 
manage, store and supply passwords and other .ac&fta information; manage 
and log access and reproduction of copyiigljLt mote|ial. : ; ?Applicat»n*} hn%niflg 

15 on the secondary operating system cannot access system resources which, are 
not allocated to that operating system, and where: iHe opening systems ;run m 
different memory contexts (he. use different addressing- .pointers: to differed* 
spaces) applications running on the secondary opejKtting sysunn cannot b£ 
used to interfere with those operating on thfc prifn^y system, so as to weaken 

20 the security of its operations. 



3& '.]': : 'l - 

This section describes the invention or* Pi>wei??C? {'TP^C'*) .ar^l^tect^, . 
as an example of a Reduced Inistroctioti . ;$et Computet JSC)/ jFor : a 
background understanding of this well known ^hit4ctpm, th^if^iUwiiig 
5 incorporated by reference: . 

"PowerPC Microprocessor Family: ifee Pfd^mrninig "fenviroiixne^W: * 
for 32-Bit Microprocessors - Software Reference Jvfam^r (p^BH^fed by : jB?lW: 
Inc.), Publication Number: 0522^0290-Ot R^on ! j&iftfe: fW&m 

available for download from: . 

10 hUp^/www.ibntcoin/chjps/tcchlibAechli^ " 

• v ' • ".".*" • 

• ■* ■ * *. 

-*. '■ • • : *-•'■ •.■ . ■ ' : ' " 

In the following, the hardware resotu?ee. ; de^ . 

non-limiting sense) a* a n^xsokemel. This geetiod focuses' :afi- ^FG^^eijuQ 

aspects of the nanokernel impleinehtafci^ . 

15 executive which is the cornerstone df thenaiiol^ . 

' } • ** * - 

*» • _ * 

• * *. * * * * • * » } 

This section describes how the Pciw^rPG pcocisBC* E^cMecture U tujed: ■. 
in order to implement the nanokemel ejcecakve: which U cabbie : to run 
multiple independent operating sj^:^s.-cQni»iwntly shar^g' ihe :central mt$ " 
20 co-processing units (CPU and FPU) as well as; the momoryj maiia^ment unit 

(MMU) across these operating systems, . 

** * * » - § • 

.*■*.:*}.♦. • ■ • 

It also describes how the nmoj^m^^ 
interrupts. In particular, it descnbes-^ :i^ephanism. used 16 intercept and 
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forward hardware interrupts' toward the prUnary '^peiVitUig *sy&tln>n ^d: ?:hev 
software interrupts mechanism, provided to the s^on&^ppi^ . 

Note that in this document we assiim^that tfi^:^Qkefnei j& 'JEHmgUig 
5 on a uniprocessor computer and therefore aspects rel&&d to t^c : &yifem^we^' . 
multiprocessor (SMP) ^cM^^ ' • ~ 

Overview . % 

• .• • * 

Virtual Address Spaces .? : 

On PowerPC architecture the paixolcepncf 4vk*.#s pains in .the $tfe#iv4r 

10 (physical) address space. In other words/ the ! MM^ : i* ^woys^ di.sal>led ;j ;ai y£ 

the processor is running in real mode when nanoker^el $odp 'is $j§ecufeed. 
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In this description the Memory ranfe^ 
virtual address translation context: 

15 " -er a set of 16 virtual se|^ (Vsij>) v : : 

specified in the segment jrcj^Ute&s. . ; \ • . ' = ! 
^ a set of page.labl^en^^ j(PTE): : * 

us? a set of block ;a^d^ specified M 

the BAT registers. •. •} ; \;~ ■ : -j 



Typically, an operating system: stfpp&jtiipg ctpste&a: 
multiple memory contexts (one per.usejt ptoc.ess) in-order to be JSkble to handle 
private user virtual address spaces/ Thelfcamei changes the j memory context 



each time it switches from one user process tc^ tite 
operating system kernel also handles a umqUe. ^^^soraddjress .sjpfteeL lUkv : 
and supervisor virtual addresses cah overlap'pji Pbw^PG^Ktttfcta^^ }: 

The supervisor a<Mres»- space ra^ 
dynamic. The static mapping is -created- at ^sy^iani ;^ibt^i^^tioti ftft» : : 'aniA ;it;* 
typically maps (entirely or; partially) avfui&ble iffiysifeal;. menidry j. Sirefr-: 
mapping is also called the one-to-one or Kern^vtte^^ ^ ^y)^mk^ln^^.d; 
typically use the PowerPC Block Address TraMfe&m rit^li&iiisiijl {B : AT):^lp; 
particular, the KV mapping: usually covers -liio.^tane J- tjdde,- dots, apd bti&j. 
sections.. Dynamic mappings , are coated ; run ; 

dynamically loaded kernel modules or .dyri^fcttliy . ajldttotcdi- %tipin 

contiguous) memory chunks, • ; 

•• ■ . . : -"*.., • . " • "•»• * " ;• 

' . ' • : - ' %x ' : < 

Three kinds of memory context w& "dj^feifelje^ 
environment: primary, secondary andn^kfeniet:. " ; 1 ii'i ^ 

The primary memory content iis -a tfteinbi^; ao^k-t cumHdy 
the primary kernel. Note that,; in case the primary ;dpe&^ng; syat^rii silppqms.. 
user address spaces, there might be miflti|^ ii^ed ^y tfte 

primary kernel but, as was ^eady^eiitio^ the Wpenri&or addr^fc 

space is unique. Because the nanoketnel ;d6es not io&re^abQut us<& 4nappmjgs,. 
the primary memory context: fe titiique from tfre u rum^^ ah* it* 



41 

consists in static and dynamic supentfsor^m^ primary ' . 

kernel. . /. 

* •* % '*•*".•■. * . 

The secondary menioty aintexi is a memory conlfctfreim^ 
the secondary kernel. Once more, hi case the ^oiids^ operants system 
supports user address spaces, ittere migh^ 

by the secondary kernel but there is only arte >upeiMf^r : ;u^dreK<; space^.T&ss^ 
the secondary memory context is unique from lih^naup^riiel perspective ; {fqr 
a given secondary kernel) and consists iti it* supervisor Memory .tojnteftt* \'\ 

The nanokernel itself * do :ribt really '.'use *a m^i^y^conia^ 
above but rather the PowerPC processor space.*. 
However, the nanokernel address space is different from in -jnislmoiY 
contexts and therefore can be considered as' a speci'fi^' Qtie,' 

i. :'*'.'* "••**.., • *■ 

The nanokernel memory context \$ : m&toiy. !^ed tO !: 'iibfe^^ 
nanokernel code when a secondary kernel is pjji^mp^ ir^or: 
exception event handled- by the nanokernel, fQ^e:&u^ ■ 
an T/O operation to the nanoketnel Iconsole. -Ehe ia^okferp?! rriempry : c;ontei(t: 
is also used as an intermediate address space . tit^vng to swttcfc* :\'£c6m '^' 
secondary execution environment to the/primairy die an'd vise versa- Note th#t 
because the PowerPC processor switches to re^>)i^uti^n.mode iw^xc^ption 
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processing, it is a natural and efficient approach, to :use i the processor physic^ 
address space as the nanokernel memory coiitexU ; 

.-. . . • : ! '. : : \ V 

Figure 1 shoWs an example, of the pjrkhsfljy aiid .% ^ecoMary Vitft^- • • 
address space as well as the nahokerhel; physicrf c .adtlrcsii space- 
In this example the physical inemory -siae is 128 mfc$^ytfcj* tie 
primary kernel uses the trivial one-to-one. (KLV) itiapping starting from zerfr : 
(like C5 microkernel) and the secondary 'fa^el^ u^es $ shifted ooerCokm<? ■ 
(KV) mapping starting from OxcOQOOOOO (lik^ tih^x bm^t). • 

Figure 2 shows an example of how the memory confexa is %w\i<iHi%% fa 
time. Initially, a secondary operating , systeih -Is ! running in a se^on^y . 
memory context- At tO time, the current secondary k^tnH: traps, fco - rite- 
nanokernel in order to output a character to thfe nmu^kem^iWHidle. This trap, 
switches the current memory context to thenatiiOkiimieil oii^Eftn&g the 'ttO;?Jt • 
period, the nanokernel (running in the nanok^iel* memory context) prints. oat : 
a character to" the nanokernel console. At tl tftrie; the j^an^kemel- tetai^K^co the 
secondary kernel switching back to the seconcfaiy taemoiy ixpteXt. A( r2 time 

an interrupt occurs while running the secondary, operating : systeio. The 

i* * i * 

interrupt switches the current memory context io the han^l^neV dne arid 
invokes the nanokernel interrupt, handler; In oirdeii t*> ; foT^i"<f *N. iW&n?u£t to 
the primary kernel; the nanokernel switches from the n^6ker?icl memory 
context to the primary one and invokes., the primary iiiiiejrrupt handler, ax tS 

• : " • I'll ■' * 

time. During the interrupt request .processing. 'vf\t4 tim& !thc( primary kerne! 
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traps to the nanokernel in order to output « vhttfactev on : the ; nxaiokemiil 5 
console. • 



At t5 time, the nanokernel returns frobic "tfe(3;-.put^ari't^^ c^R i<>. titer : 
5 primary kernel which continue the interrupt -iftqui^t - pf^cesSiigf tfl" the rt? ! : 
time. At this moment, the primary kemeL'ret&^ • . 

and the nanokernel switches back to the iritei^jat^ 

*. ■ ■ • * .« * • . 

system in order to continue its execution^ Such-ia £wltfcti starts in ^hd pr&uiry-* : 
memory context and, going through the. in^iro&iiate: nMoteerael > ecftteMt 1 f 
1 0 finally ends up in the secondary memory poriwsKt at /7'time. 
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Nanokggnej Invocation a nd Pretention ; : : , 

The nanokernel is invoked either &£2kdgy through a trap ot itx^ii^iY 
through an interrupt/exception handler, fei .ihe:;:fqrm^r.-case,. we s&y ikhi asT* 
5 operating system kernel invokes the mmokerneh In tti&intter case; We:$ay dki \ 
the nanokernel preempts an operating systehi: It is impottaht to uhSerlin^tfeae i 
the nanokernel is always invoked from .^prjvfl^ft code inning in; the 
supervisor address space. On the other band, the njmaftfltnbl may preorftpt Che, . 
kernel itself as weli as an user process. mhnpg.ihfldfer^kprttel control: ! * [ K 

10 .: ;; . : r . • 

Once the system is booted, the n^ofcerjiel i£ activated. ifi^rst find it stalls 
execution of the primary and secondary Wrheti; rQx\c& the initiaK^ienv phase", 
is done, the nanokernel plays a passive role, this- means .that ttte code- 
executed in the nanokernel is driven by th^^priro^y and second»7 ; Wiii?1a:i 
15 explicitly invoking the nanokernel (by .tr'&p) ; or; by* oxter hMlyV genW&ted 
synchronous (i.e., exceptions) and asynchronous (3,o M iutejTPpts).eVenT$; \ 

On PowerPC architecture, mebhftaisfhff ' ittejt .for . ihe ;nanok«#nel 
invocation and preemption, are the same f0r ptim^.and 'secon^y opx&imiiaLg;- 
20 systems* In terms of execution environment the na|iofedmel is ' quite -depsarate 
from the primary and secondary kernet asj it/ftms in PowerPC re#il mode, lt : 
uses a"nuir . memory context : (^hysical^add^esi : space) and a diffeFeai 
supervisor stack. There is a bante* betwte» :^^ operating systerns. ?MMU 
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enabled) and the nanokernel (MMU disced? th&^^ ' 

against the Kernel* malfunction. Note :haw£Vee that &tt$h.'a; ^protection ;jfr:'ao(.- 

absolute because each kernel still runs {irivildgeiji cocle: in sup^wor.^ii^A^'. 

space and therefore a secondary kernel 14 still abte to crasfrfh^ 

as well as the nanokernel. , i 1 

Nanokernel Invocation; : " '* " r **"'; "' 7/ •'"* »* " 

The primary and second^rkernelsjiiVofee; the fefiKottemel ustog. b : ti|ap:;. 

call mechanism. The PowerPC and tmp inKtiPwt*tion^;ar^A^t used : to 'ft^it • 

the interception of the program and system call £;ne$|>i*^ • 

This would introduce performance oWhead: in ih$> '^rqc^i^g iof 

exceptions that are frequently used:by aii operating system -ferhel. 

Instead, some exception voters. ^uiinmtly .jMiiu'setf by . ^w^N; - 

processor implementations, .are! dedic^d'tb^min^^^Krap pailsT Thpsji 

exception vectors are called through a Small software'-^ 

primary or secondary kernel execution mtviroriirteiH; ;t^ai pi^ts the ^war^C 

processor in the same state as when a real exception qic&HSr and jufrips'ito tbfe: ■ 

appropriate vector using the rfi instrudtion, ; ^/othw/^dctb/ the narvofeeriWi: 

* ■ . * • * ■ ■ . 

invocation mechanism extends the existing PowerPC :^xceptioft- '^t- 

simulating software exceptions itriggered undbr /contrbl of the piiunai^';;cir 

secondary kernels. 

.,»*•* *• • 

The following exception vectors .aroused* fqrnwiakempl trap culls: 
0x2000idle, invoke tfahc*erhpts|chpd^let : . 



0x2100invoke nanokernel debug-agent (oMop p&tcMtoo 
0x2200in voke nanokernel cohsbteTO 1 slices-. 
0x2300trigger a system cross-interrupt ;: 
0x2400restart system 
0x2500prdc#ss pending villus 
0x26Q0halt system (secondly only) 

Nanokernel invocation is .wk&6 m with . following ^conven^irj*. tfhd 

processor state: ) 

& translation me <U^hleii (swttc : 

jfcr interrupts are •dis^biecl atpyocessor lcv>el 

jsS caller r20. is savpd in fcpTgG . 

jgrcaHerr2I . is save^irt sprgl 

jss caller msr is s^ved m'^O- 1 \ 

* • i • • * 

meatier return address. : (hext ijuttitfgjMw to 
execute) is- stored in rSl . 

^sub-trap ruunber is/ gtoiced jta fibr toittitr- 
function traps) 
Nanokernel Preemption 

The nanokernel preempts the operating systems 'by intercepting: the 

PowerPC exception / interrupt vectors, tljfc PowerPC arcl^ti*tuce.4obs.^ot : 

provide any mechanism .(-life a base register) ;ib cqnfigfctte the address where: 

*•*•"*.* * 
* - • * *. - - * 
the exception vectors ate located, but .enforces tteem to be Located : ut the 



beginning of the physical address i space (&t QjcOOOO^SOO hi Ri 1 ^) at in (he- 

first page of the last megabyte of the physicaliaddi^aji spfiQ^ (at pxfffpODO 

usually in ROM). Therefore* the rianokemel owijifth^ : 

vectors and uses an array of indirect function painters {an extsepiibn ^ancUerJl- 

table) to call the native system handler or to fni^GKflt : ttte ^x«e|Sfoft.and: : . 

execute a nanokernei handler instead. When an opfefoii^if "sy^eni is prjeetripteti ■"> 

by the nanokernei the processor state is atttooiaiieaUy..c^a^g^d &y the ;tak&v L 

exception (real mode). AdditionriaHy, the niarioiceFn^ jh^l^r switch r6 ' 

another memory context and supervisor stafcfc, to cX0c&te a r*ask : in its own >• 

•».. * « • , • • < . .• 

environment, or to directly swi^ _; 

- ; • / : ! 

' *' - '« . ,1 \ * ..• *•' V* •:• 

When the nanokernei just forward the exception to 'the n®&b tebd ! -. 
handler it has to modify the register content in. 0f*M$> i^rtpletobtkt. a£ Mdirect 
call without loosing the processor state: -Thus ttiW riaiiokeiajd apply, the: 
following convention about register usige when, c#|ttg aiJwfroQl &xceptton. 

handler (we only mention what differs from tb^^mte ;d exception : irtfipyV. 

■ * \ . • * . * >t 

jst r20 is saved intoi sprgft scratch ;t?egiste? 

. • * ' "*••*. 

& r21 is saved tato:«pi%f 
& lr is saved into. ri20 re^i^er 
jbs r21 is loaded; -.with- t&ft exeeptibn* :tabteHndex- 
(exception number * 4) • - :i . 

& lr is loaded with : ti&\ across; .of. the.' Jtemet ] 

* *.."■•*. 
exception handler V, / j 
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Primary Preemption 

The nanokernel preempts ihe pririia^ opetatiBgj systeq* ilcftiy in ; 
cases. Typically, only the exceptions t^l'^mariis^e ^uo^ailable . 
processing units are intercepted (FPO aatf.AftiV^ 

These exceptions are used by the n^oketnel to. hStidie. th^ UGut siiu&irig: > 
between kernels in a lazy fashion as described latef. jn this d££ttto^t. 
Secondary Preemption j :; : ;; !: 

In addition to the co-p^6cessing : .exp.ept5)eij$," ^se^<3ncy qpet^t^gi . 
system is also preempted when an interrupt (asyngfe^ ocaiifev' 
In such a case, the interrupt vector is 'intercepted fcy to^spbn^^^^^-*' - 
handler (installed in secondary exception . iabSe); "TTlSev ;k»&&Td£&rne>- .viu&i 
switches to the primary memory context 'aikKcctft t|fe i^^'mted #m$'tity. ' : 
kernel handler for this interrupt (installed in tft&'-prirawy : exeepWori iiai)*iii&r: 
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Kernel Context 



kernel data. The global data kbeps the glottal- n^^k^ei^tate* fegjH-thfc. 
nanokernel memory context) while the : pe>-fc'erael ■ >data ijiSBift 
associated to a given primary or "secondary fcernfel<'*f J& ^ed-li^i^Ar<)^4U-A^ ' 
called the kernel context. 



The kernel context consists in two 'gqmz: visible artii fetddepi iTbe 
10 visible part is public and takes apgjt in tteinanbfesrneJ -iuiibrfti^./ , rhi« jfaart of 
the kernel context is described in detail in Jtetfter 
nanokernel interface. The hiddetf part is ^hofc^ 

internally by. the nanokernel execufive* • . i *. 

Nanokernel Executive Interface - . • * ! 

15 This chapter describes thehano&eniel/^ tcv 

the primary and secondary kejriiels. Stich m. inpilh& \ exists- in 
structure shared between a kernel. and the padc^c^rUel vMt^e; kfern^l 
context) as well as the nanokernel methods., * 



Visible Kernel Context ! 

Figure 3 illustrates the visible; part of : t$u? kernel . eonipxr; 

Note that, in the Visible part of ttte-icfctiW) vconte^ii idi ^6f^!^s : ^e : > 
made through physical addresses; A k^ne) 'ha^:t^ ^ 
address to the virtual one (from ;the KV mapping) \ in dcdisf £ "fpr ^ce^;s 
referenced object. The picture shows a c0nfighf^l.ion ! wife only twa kettiete!- 
primary and secondary, 

" ' . • ■ * . * ' • «• • •' ^ * . . 

The fa&?/7 field is an array pf /|3k3|'t!ir9T^f ' tol**' fhs^ * ^ecri^l e?cc«|iSiotx : ; 
handlers. This array is indexed by 4he era^tik^ w± tfofa ■= 

array may be set directly to the : Kernel native : exc^tiop. haa^r ox to -a 
nanokernel handler in order to intercept the assa^yted^eot^pti^rtn! tkc Jater . 
case the kernel native exception handler pointer ^ is'; locaterf iii tl\^:VBX^h(Jy e 
field. ■ ]'[ 

The pending VEX and enabled V£X. fteldft ^lect 5 iqu^^t^t^ ^f 
the virtual exceptions. Note that these fields ^ 

context because the primary kernel exp^ption^ ai*e itiot ;viilu^74S& -fey .-the-; 

nanokernel. The virtualized exceptions • me^^^^i* c|Mc^bed.;in«diEtaii 

' ". * , • i •••*..• 

further in this document together ^th thejsefcoiidis^ 
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The boot info field points to ia global' boot infomiati^ 
field is read-only. , < - ' \ • 

Such a data structure : contain& v^ous piroce^ri! i^foi^f iem 
(frequencies) as well as a pointer to; ity fiirawaiii : paM<i ^gumthiit, 

** ■ " . * : ! - . 

The cmdjtine start, and size paratoetoh4 ^ntsu thfej ^ocxt corttir5^i0i : 
line specifying the boot time parameters; •Su^i p^am^erJi;^ "given lb : *he: 
boot loader or passed through the nanokernel ^nviromb^nt. ^siboi^iiarwi linkh 
is kernel specific and it is located in the kernel cpntext; The &djSbketnei psurs^ft; 
the initial (multi-system) command line: in Qrd^r jp ^create! _^^eL?^tBc 
►mmand lines containing only piirameten^ 



CO: 

kernel 



The RAM info field points to the&AKf a^rijtfhn tiifibjfeivFhi^ Bd<i$r 
15 read-only. The RAM description f&ble is. a global -data siti^c^i^i §h&red\by M 
kernels. It describes how the RAM resource & : ritpiiibiwtf acb^^he karaeW ♦ ' . 



The dev info field points to the;li^ 
nanokernel. This field is read-bnly;for a seari&&ty fcefrel iiA^i^ad- write; for. 
20 the primary one. The devices* list is, global mii il i« H^kflaQB^- jjy^H- *seirtc4|i t 
Each virtual. device in the list is represented; by, a 'di^stoifetu^ j^pecificd by 
the nanokernel. This data stmcture^is typically 'Accessed by-Katit primary ajwj 
secondary peer drivers using rules d^n^d-by .the. n^okernei;'Thc penary 
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peer driver plays a server role supporting itfis white jftq. 

secondary peer driver plays a clie^rote iisif^itHej virtual ^dyice .^st^ad pf fchs : 
real one- This list is created (and .modified) fey t^::pji^ary fe^et only. . A- 
secondary kernel is only allowed to browse- this list*; 

5 - ,' :■=;•£:;■ ..; , : * 

The pending XIRQ field specifies pen Aj^ ^ss fot^t^s;. This ;f&ti$' 
is not used by the nanokernel itself. It i& hq$t$d : "%y v^eC; ■cobtesSLt : attmcfcli^- 
order to assist to the primary and secondary |kcm%^ t crq$& intetrugts :!t 

exchange. There is only one : processor ^xcejpiioi^^dc^cdtod: to th$ crass 
10 interrupt delivery. The pending XIRQ field allow* ^ extend number of : 
cross interrupts up to 32 (one bit per cross imeirugj^ iritoa^iipt- 
bit is set by the source kernel. (i.e., the : kernel *wltic&^^nd& cross tetamtpt^thd 
it is reset by the destination kernel (i.c M the kdrne^ 

interrupt). . - ' ' - " l '[ . 1 - . 

15 - : : ' \ ;-V 

The ID field contains a unique jcernot id^httfii^; iTfji^ .ife readily. . 

identifier 0 is assigned to the nanokernel tNelf !ap<3! iSent|fja^ V'lsiassigrved; to 

the primary kernel. The kernel identifier dejH|riiSt^ fchie kernel in the. 

nanokernel interface. For example, . the to :iag 

20 resources assigned to a given kernel, (e.g^ tfremoary:' ^huiiks in^ihe<R$M. 

description table), • ' : : " £ . 
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The running field points to a system id^tifib^^ . - 

state of corresponding kemels:\ranning (i>*or fctfted: (0), Iftfo bit Sisld^r&fciii/ ".- 
only. The uanokemel sets a bit before kunching: (be ^sbgiftted' tabrrfei m& 
clears it once this kernel is halted. Whebna kerhel is restarted; its? rwumig '-bit lij 
5 first cleared and then set. Any kernel is able to "anaiy&e Uib running £it : iTie}$;i ti. ; '/ . 
order to find out all running peer kernels. N^e. that the " rti^if is^jg r? b ttii otX^i^ . r . ] 
primary kernel is always set /: ; - v 

'• ,: **•" ■ V- : : "f- 

* . ■ i . I •* . ' • j' 

The ctx root, and last field&poifit to r#peo"tiv?,Iy tlie fii^tknm)4^^I : * V -3f 

10 itself) ^.4. 1 ^ t v ^f4 kernel conte 

• of a kernel context structure including the hidden, parr. These fields tp^efl^er. ■*•• 
provide required information to manage: the kem^JfcphterXts.. . : j ' 

The shared memory field points to-i* p6 : 0)"of shared Tiiipftjony. % ajfcu,spsiit; ' • * \ : 
15 mainly by the primary kernel to al^c*ate^niembiry tb stbi^ ^ajta steiiredibetw : $ l/: : 
all the kernels. : • 
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Napokerael Methods • 

The narnolcemel provides ^two grqii^ 

. *• ; !'*::";;■ :*• 

operations and the executive ;cip^tions. 

kernel to send/receive characters fo/feoiai jfie.*^^ 

This document does not speciiilly 'adSlrcks Vim ^bftsbte^ 

more or less generic but rather it is focused pn tfee .^xedHtive! methods wKich ! -- 

. , : .. • - : : : .r; : l'-'V'. 

are PowerPC architecture specific. ; ■ ! . ;; '* 



10 

Instead of installing exception /V<*tor^(^ infe ''^jPQj^J^: 

exception vectors, a kernel has ro=.invoke this5n^b^|m0l method xo mmb;& : 
handler to a given processor exception. The ^ i&^i»pti&^"nun^feir f>lijrUijer9S 2 : 
address of the kernel handler code ; are pass<^^ 
15 number is u$ed to index the hHls(j ^(^p^n.jhandieir liiWfe w ^e ? k4^- 
context, where the kernel handler pointer is stored. . s; 

The nanokernel cap later, use; tlie;laliiEte Wfty' v£i«£-.;fc? dh^tjy #u$e; 
corresponding exception to the keirael -^ 
20 additional indirect call. This .method iA to., be u^dr>fopexceptionii: ib^j'arer 
directly processed by the kernels (ndt ijkz&Q$&d$fy tfe& : -i^pkiernei)-. : 



55' ;..; V • . : . 
Install virtualized exception h^icictleR^)^) . . \ 
This method is used to attach :*a 'K^n'fet .ewcp^-;.4itodfe to. ah. ;. 
exception virtualized by the nanokemel. Suejr; air exception eitheisa vittuai - s 

i" *. * ' . -' • ■"• " • :. 

« - - - - : , : . , . . ... . . . . 

exception corresponding to a real PowerPC exception:: iptercej^teUf arttit { 
deferred by the nanokernel* or a logical evenfcrai^fcy the na^kett^sE. . ; . ]: f 

The VEX number and physical a&cl&fs of ;the;:ten>ftj \lm^'C€iidp[^^\t 
passed as arguments. The VEX nurnbef: fc iis&d to incW thef WX&dl&Pi' 
virtualized exception handler table in thi l^rtfei'coritcrsti 4 wJterfe- ^ kwqg^:? 

handler pointer is stored. . yj..'..\::J ■■" . ' 

Idle v * : :* -* . . - 

The nanokernel provides* an idle^i^ilho^'^^^-^'' 1 ?: be e^Uedvbyia/ 
kernel within an idle loop. The idle method i^oriifis the iiam*kwrt^l { ttate-.tfte .g 

calling kernel has nothing to do 'until the hi^tinji^rmpt .; \ y : , . ^ 

• . * • * ** . •.".*.*.. 

t \ - 
*• •**•'.* ! .' • . - 

The idle method invocation resul*sHn;a s^te^ -svMtefr fothe tys&f read^';' 
to run secondary kernel (if ahy)\>£ in; the ret^nt^roniihe ppiaiSry idife,m>l1t^d.r;; 
when all secondary kernels are idle, f h^idlejmetfiod hto no.pwfirseler- : . j s 
Restart « V - \ '; • \ / 

The nanokernel provides a tescart t^thod W^ich can- be cafed by the. 
primary as well as by a secondly kernel; in -opinio restart a; ^ocondary 
kernel. ; •■ " *■ 



Th& method parameter specifies identify &f pk&tifci^l Mrigire^mtieti • 
The nanokernel. stops the kerrid executroh, re$«ir^:ttfc ^^^;i^age {rojmiis . * 
copy and finally starts the kernel execution at -tbp hdriatl: $ofcry jpoint. 

: ; . = .. .. . ? 

Note that a secondary kernel can reboot it&otf hyieatHi^g c^Ke is^tait:trup : .: ' 
with its own identifier. 

Secondary Halt 

The halt trap is provided by ;tte RTOOjc»feeV;tq a s^ndSry, l^'noftU.* 
Such a trap is called by a secondary ker6er Wfcfen tt i&ftid^ . 
puts the caller kernel into a;noii running statfc ' iA>QJ?qiet. to kv<#4,|hts k«rn&i 
being switched in by the nanokernel sche^uter.* • j:, 

A stopped kernel can be started again toy t% tefe&rt ^n^ok^iiel method- ; 
described above* ' . . ; 

Primary Execution EnvEr^nmeftt . m ..V.. 

Basically, the .primary kernel is efei&tt^ 
environment. The nanokernel imj^em^ 

minimize impact of the nanokesnel. environment to '.{aridity, operating., 
system characteristics (performance, tniermpt l^icj*!; p^femplidft Uu#ocy). 
Because the primary operating system i& t^ii^ly v^wti^ie;: operati&ig* 

system* it is important to beep the primacy ke&ieI:bol^ipr.uncli:anged even : 'if 1 

'• * • ■ ' ' . : ' 

other (secondary) operating; systems a*e jrunpin&£^ the. same 

processor. : .; | 
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Initialization 

The nanokernel is started first by the bc>6®toa&W sw&;<^ ; 
i.e., in the physical space. Basically, the na^okerpel- initkilt^aii6n>eb*^ 
the primary memory bank (containing jR^iniaagr :teneijal ^ti^mii/h^& l ' 
sections) and the other banks in the physical . meinoiy and jumps to 
primary entry point. 

Before jumping to the.pribary kernel t^er tinnbk^riiel in&Mi?e« iW'-. 
primary kernel context _by calling a syste^ _ 
should at least set in the hidden part of thfc kefter- context;,: the • srtff) rfcgi«t&r; ■ 
image to the kernel entry point arid the sjrrt ro*^sier 'iinkgfi to the mitiaf v&u£- 
expected by the system kernel. S- 

All entries in the exception. handler "t^ife <&dBt] : "&eki pfi.^evk^ei 
context) point to the nanokernel debug agent :eiMry - point; feitcepi^fpr: the eo^ 
processing (FPU) unit exceptions, *fbis .ensile; tf>* %y we){j^e(i:c^rly- 
exception will stop execution. . , : :. 

' ' ■ J** * . * * * * . * • ■ " 

The nanokernel initfcdi^tion codecs; e?te&ied uf5lj%; a static: 
nanokernel stack located in the data section!, 1 ^^ea^iiiiipiig- toithe prismas 
kernel, this stack is still valid. Despite Gf tbfct; tbg -'prifrfiity fcfknd ahoixtd. 
switch to its own stack as sobn &s pp^sibte ahrf should Waiter use this : 
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nanokernel stack in the future. The nanotercie:!: £tdek * is used not^nly it;., 
initialization phase but also at run i : tii^e .iix. oifUif Uo basdle? ^pndsit^y ^ 
invocations and preemptions as d^cribcd iii fce ne^t chaptein .; :■ y 

When jumping to the primary kernel- thej 1 ^ regi^^mt^ to: tfre 
kernel context and the msr register is loade&^lfc the srri image s^t m rtfe \ : ' 
kernel context. Typically, the ^rdeessbr 'iimitipt* fu&' : cfi«aili5ii : ja|. the? .. 
beginning of a primary initialisation pha^e. Thei: primary ikemel usually \ 
enables interrupts once a critical mitializatioiv 

During the initialization phase, the priroai^ ' ; 

the nanokernel methods in order i6 attach- bandies u> 'the . prbcesBior ^wt- . .=.> . 

■*..*"' .* *' . *- • 

*• . • * " . . \ ■ .;-•*.-."** *' 

virtualized exceptions* Finally the primary feerpel filers m the idte tec^v. and 1 
invokes the nanokernel idle method. 

When the idle method is catted: fir^r ^ 
that the primary kernel has folly initialized* its ^ewtiiim fen$jroim:tetejl and % 
proceeds to the post initiali^don>phase» . . j : : 



20 In such a post initialization- phase;: me 

secondary kernel contexts as described in ^e nqxt/cha^tfeK Once fhe post 
initialization is done, the nanokernel calte: tjte Scfedwli^in orde? Xp either 



i *. 



i 

' i 5*. ' : . ; : : •' -•; 

switch to a ready to run secondary kerned or- Warn from the piurtwry' ft&t^ 
method if all secondary kernels are idle* " \] 

»■ .*•*.*■ 
The nanokernel requires the- primary Mki&t. tt>- t|if : ^bbftlyj* 

shared data structures: the RAM dfescHpfco^a^ Si^fo. 

an initialization has to be done . before the; : idl& method j$ culicd. "TW&j" 

requirement is natural because, beyond this nfemenit a s^co^^y ^fe^M 

access the globally shared data strabtur^s, ; 

* . * " * _ ; : J 

1 • ■ ** ' ' . * 1 ' * ' 

In particular, the primaty_kernel : fain ^I>4t£0Jtp; _cfe^cx ^ tilie jp%^^ . 

memory available on the boaixi and to register 4hlinK^ 

. . • . : - • ■• * • « : • • ■ : .;•'•* : ' . :* • *:\ 

in the RAM descriptor. ' ' \ 

* ■ . ■ .i 

According to the primary ^ Boarid*. Siw%t PacfceEge (BSP), iferpri^iacy : 
kernel should start nanokernel aware drivel's ^jkiebj,. in mf^; : .shciu>U^popui«te- . 
the virtual devices list. Such virtual devices ftrc'pro^id^d to -secotjd^ry fce^itf . 
and therefore they should be created before* >tva;fii«/$^oiidacy: kernel Is 
started. 
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Intercepted Exceptions 

Basically, the nanbkernel does hot ioterropfc^ 
when the primary operating system i$ hintungj oS ihe p^^sc^v^ All • : 
5 programming exceptions^ traps and interrupts are NMM:-by W*lfp p'tfri»r# 
handlers. The primary low-levdhandfersjust rieqd mfe:md^ 
comply with the nanokemel exception hau^€5r\^ 
PowerPC architecture, ' . M . 



10 An exception from the above rule is pro^rriittrtdttg ^«^ipTiS;i^l^feid- 

to the co-processing units emulation: . " : j- 

. & the floating point unay^0j#le -exi^itftm W$J$ • 
• jss ftfe vector unit tm&vi&a&h* e^€^titjiv{Altiy^k:' 

vu) ; , * ''; 

15 These exceptions are used by the namakem^t ^ t^fenr^nt "a/ik^ 

mechanism of co-processing units sharing ! descinfeecl. -.fitetHiw 'J& \J*us : 

**'!'. i • * . • * . ■ 

document : ' • * : . :.!■: 



Another specialcase is a debug ^geni: WCS^^ 
20 nanokernel in order to provide a hbst.bsised.Ee^Qt^ by^teitt debugging 

primary operating system* In -this- case; *h6 dfcbufr agent u^uall^ iiHo^eepts 
some synchronous exceptions related either td dfe^u^ features (p.& r single . 



instruction trace) or to program efrbte'f&gM p|%© : feu^S»o*h- -^de^il$ a 4gcjci^- 
design is however out of scope !of this doci^v6m; ■ ^ • • ';'\ \ \ 

Forwarded Interrupts : \. ^ ■ i ( . j.-j 

When an interrupt occurs whi^'a..»p.o(iftw^ \^^ra^g! ^^^'^ 
5 running on the processor, the interrupt is forward %feprifi&^ : 
system. Such an interrupt fbrw^dingj'rprt^ess; -goe^0ik*g^ 

majorsteps:. . ■* : . . > :r. j jv- ':; 

•jk the interrupt ite^ihfe^gUd'Tby ^.^t^lcier^ei " 
(corresponding entry of the 'htllstf teble.in He^flttoty-- 
10 kernel context points to ^ri^ok&d^ . "! •*! *:■• 



jx execution of th&.j>re£mp^^^ m : 



suspended and the .-napotoi^eJ ^it^es to -idte^ritory; . 
execution envirbnriaent; * * * i^l^':. .* ' 

& the nanokefnei {ihfc": i»t^ii]|t.!4^i ify*: " 

15 primary - kernel (branch;: i$ •/: cde&&£^^ % 

jjtf/s// tsible in primary kenieVcoi^it>< ■ / " : • . . ; • 

**•*..* * 

In such a way- the corjres'pondii^; : gJri]^ry • 

invoked (in the primary, execution enwomjum0 ijC-nntef 1 .tO:.p3P0Ci^HSi .ihe 
20 interrupt. Once the interrupt is processed 

nanokernel executing a.rjfi instruction.; i ' -\ ■•• 1 . : 



*v aw-w^ jry 



' 62 . - j; ; • ■ • <j 

After returning from the pfimStfy ioierrwpt harder.. : flte vjiiiRafctrnea;. . 
calls the scheduler in order to detenmoe.tl\e ^hfb scceriduty:^^ 
to ran. Note that the preempted secondary, -ayate^ \ 
continued after interrupt. Another:, (higher pUoriSyfr s&eii)!^^ 

. ». ♦ r 

5 become ready to run because of the interrupt. . : \. \ . . 

Secondary Execution Efcvirbnroent : :*x • : ;; . :-j •**• 

Basically, the secondary keniet execdfi'pii ^^RmpijNpi H. qfiiue 'j^oM^V 1 
to the native one except for the' interrupt^ ^ina^rn^it.'* The jrtft^okdikrfejl ! 
environment modifies the native mgchaiusm of tfijs. ^teJWPW :: i3^ 
10 order to make a secondary . operating systein ^ii}y pret^%jtaMe; A £ec:6frdiiiry : 
kernel ported to the nanokernel atchitrctui^no 
processor level but rather uses a soi^a^ 

provided by the nanokernel (r.e„ virtual exeeptidn»), Infemip^ ^ .tjo : Wo^j> ; 
directly processed by such a secondary fcemetf by* riiihe#^ey Me m^feepti^ v 
15 by the nanokernel, forwarded to. Op jstiroaty ; fecr^l-mbtelpiiy flieja opFtomi|l^ 



63 . • v : ; : ••• .. • ••: 

' - ' . * . 

Initialization ] / r Ml. . i' ; 

The nanokerne) instils the Secondary iheiii^^ 
time together, with primary banks.: Oh the pther&ai^ 

a secondary kernel, in particular the kerueKcdriicxtlsetupV & ctefidtr^ii ijqtfi| ttifc . 



post initialization phase* 



At this phase, the nanokferiiel alloc^^s ! ^tiejiriory lb ke^a. ccfp^:;x)f; 
secondary memory banks. Such a copy Is tbeia iusfcd ip : re$io£ft the^imti^l iiiiagd- 
o^secondary^ystem at restart time. The irecoitf ^ys^m^^s^x k ^Wdyer 
optional and it might be disabled, in order to risMde ^ : phy^cal in^oiiy 
consumption. 

The secondary kernel context , is setup ]by. ieanij^ 

routine that initializes the context abcordirtjg U wh^me^Q^thS Uy the '£j&c#i : 

• * * ■ ' * ~\ 

entry point. AU entries in the exception htodl^r tfaifrle-' i^sftil^d ^ ^y 
kernel context) point to the nanokemelidetiug.qge r ht|^m ftxeeptfor the • 

co-processing (FPU) unit and thfe iriteft^iptr putirbls. ^Thbse potot to 
nanokernel specific handlers used to : iiitercex^tU'^ifc^>ndi!^ secpn^stfy 
exceptions as described in the next ;section> ! * v 

The nanokernel launches a. fcecohdary ; kern<Ml'by ^wftdhw^ to tlia ! initial 
execution context previously setujtfby the systeih af^iffc routro$ th thel^nal 
context hidden part 
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• • • ' .• • * 

Analogous to the primary kernel, the -kernel ^htex^^ : 
passed as an argument (passing convention ijs -sjrsfiettei sgecitiQ>^p?r^.p^t-, j 
hand, unlike, the primary kernel, the intemq>t¥'W . : 

5 (MSRJEEl is set) even during the second^ j 
should be noted that even the secondary kefnel initi^feaUo>^ code is/fatly : 
preemptable by the primary system. This is parliculaity important in ohJeir to ; 
do not disturb the primary operating system / when a seicoad^y operating: 
system is restarted. 

to . • • • • i , " 

Despite of enabled h^c^are ariteii^plfg; the wtoaiteed.'-^ • r ; 

(corresponding to hardware inteiniptg} aw disable^, w •. : 

is started. So, interrupts are not delivered by thennanokerneV ulitB- they 
explicitly enabled by the secondary kernel at the end of 1 ttie sriiteal : 
15 initialization phase. The software interrupt tnoRking i^ehj^ism (based m 

- • I ' \ ' ' ' : * . ! 

virtual exceptions) is described in detail further irt ihis cfcicum&it. * ! 

• • ■' [ " *. 

'•"*•.* * i ' • " * : - : " y j , "r ' " 

The stack pointer is invalid svh<^< :'a- - J 
Usually, the secondary kernel uses a. static- initial stack located jrt the idats* :•' 

20 section in order to execute its initialization code; 

* , . * * ■ - : 

Analogous to the primary kernel, -diH^n^.itlie irtifialjzatioh phase/ a 
secondary kernel typically invokes the nairokeniei rra^s -5 n L A& aiEach 
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handlers to the PowerPC and virfualdzed 
kernel enters in 



66 



Intercepted Exceptions 

In order to intercept a secondary £*cept^ 
pointer to its own handler into : fhe.coire^^didg jmhy iff the J^Ust] exception 
5 handler table in the secondary kernel context Thus, ^Vhen -stK& exception 

occurs, the exception vector branches to the nanokkme] h^dfer;wHioh saves \\ 

the secondary memory context arid prope^ thi^Wfeeptioh. ; , . • I 

• : ' i" .. : : ' ■ ..! ■ 'i 

AU intercepted exceptions can : he: classified^ ^ •; 

10 intemipts, traps and program^^ 

The nanpkemel intercepts all PoWerPjC infexfupis U^^chrcm'c?\^ : " 
exceptions) in order to forward them tdj^^ftriiiita*y5feaOTel: j 

.. ■ * * :. ! * . . , 1 

jgf Reset . . ; ••!'. '• "/ : ; "i 

15 ^ Maelxt«e. clieck; : ; . : r 

jsS Systenvirt^.a^em^r : • 

j& l^em^t i^timpt;- ■ /- !• \ '- * : !! 

Performance mohitoF • : " -i- 
jgf De^enienter ' 
20 ^Thermal : * ' \ 



AddUtiontt^lly^ twro naitofcmieJ traps are.pertbnnaiice 
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• . 67 ; • ■• " ■ •' 

The first one* rseiiidte • 4 cf o$fc cnietdvpi to ibo primiiffy . 
kernel. The •nandkej-A^ to/:*ife'. 
interrupt one except that. tfre e^pgfon; ■ fotw&^d^cl ;Jto. :: iJTjB-.: : 
primary kerriel cotresppitcfe to. .£? software iriua*dpt.: mth^F 
"than to a hardware oneL- S^ 
preempts the current secdW '.. 

The second one is -dalleiS iby a secondly ::WnM to *, 
order to process ^"nduag : vi^4j.^ c ^^^ th«y .iire 
enabled again. -Thftke" ^ tjAsps- 1*^4^ - ^ "*PWt* " tlw jsoftwajfc 
interrupts masking ♦m^hamAini. abd diey;'\are ekerfiW in 
detail in the next section dedte&ti^to tbe^frfakT^ 

Analogous to t&© [gi&ri^ k&me^ the riabiaj^iriikl 
usually does riat interce^ 
some special ca.^^sttd|^^i^^: ' 1* • 

& the hoati«^-pB^ exteplfon 'eFPUSi • 

& the vector uhifc way^iaftl&^eptiijti £A]tiV£e ; 

VU) : ! : . \- . * "| 

These exceptions are used by-. Ae/nii^ke^lUto toplemeii^ a laiy 
mechanism of co-processing units, risharliig '^actity& fiirtfmr m this 

• ■ it'. " ' • • « 

...''...-'-;*! - V 

document 
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Another special case istd debug age&t whicla * !. * : j : 
nanokernel in order to provide #hqst based i^mote^stcm^d^^g^aSg <^ : 4fee : ; -; : ; ;-.\ 
secondary operating system. In' this case, tto . 
some synchronous exceptions rfeloted either to! deBug' : fea^sfes;- " 
instruction trace) or to program errors (e^g., puge fasiti. Sucb; 
design however is out of scope of this documents ; • • 
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Virtual Exceptions ;■: 
Virtual exceptions (VEX):is a'mechahisri^^^^ ;|* • 

which allows a kernel to post an exception --t* '*> Won^afy ; kei^i<fe! ^nxl. c^- -\ >: 
deliver it in a deferred manner. In particular* the VEXintecJi^sai i« ussd S&: 

the PowerPC nanokeroel architecture in orcter to repk^b«r4v?ar4i wteri^fe* [\\ 

? ■ * * : ». * i 

with software ones for a secondary kernel. • 

The VEX interface consists io two'.fi&kijl&ttB^ :- ; 

• " • * -... • i - • ! \' •: 

pending and enabled. These fifelds are ■ 
context but they are accessed by both the priiwy and i&cm&asy keifraels. : - ' 
virtual exceptions are naturally enumerated by ijhfc bit? poMtionin She pewlikgf : 
(or enabled) field. So, there are. in tfcrtal 32.virtttfrt- by : -.c^fj i ■ 
nanokernel on the PowerPC architecture (the pptx<lin% jB^:^^'&&/iHf .=j \ 
32 bit integer values). ; % 

The table below shows how jthb yi^ \ \ 

• . . '• • _ * • 

real ones: / * " Y : 



Virtual 
Exception 


Real 
Exception 


■ 1. : — ! . ■ f i » » ■■■^ 'V . — k < *■• \ 


0 


0x2 


Machirteich^k ' 


t 


0x1 


, Reset... 

• * * ...***" • * * 


2 


0x14 

" t 


SMS; : ' ' •• ■ •. 
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virtual 

[7 *r\t\ + w /lit 




— : , ,4TM;; > v l ,;^^;^. !l ;.:r:.;y.ff , r .,-. -..^ — L-^i;.: 


J 


UXj. 


•P v tern 1 \it#*ti*8 i nr. 

'. ' \ * • ' .-. r . . ' i ■ 


A 
e r 






c 


UXV 




/; 

v> 


VAX / 




7 




• xxrq? .;v : ;. .v. f . 


8 




Debugger \- : 


. 31 


— : 

* 


. ^uriiMti& "\ - !"::-. : - - !* . ; - ' / 



Virtual exceptions fronl 0 up; to. 6 arfe . ntapf&itp ttie f^wbrFC 
interrupts. The virtual exception .? is mapped fpth# ^^piion y^ictc^rO^^ 
used to deliver cross interrupts to the secondary UetTielv Tfi&vjj rittstt; i^c^g tkmts 
5 from 9 up to 30 are not currently used and UVey nefc&Vcd for .f&f&re 
extensions. The virtual exception 31 does not cbrit*^p!orid to vany r&ii 
exception and it is in fact a pseudOrSdrtrnd.^^^ . 
by the nanokemel is order to deteqt if the kernel fe- idle. Hb^ suerh £ ptetifo' 
virtual exception works is described in detail fUrtJieir- ttt thi^docunn^^ . : ; 

Because multiple virtual exceptions cto^be ffc^diijjg at the iarne titb»^ 
but only one of fhetn can be processed, at a tiine^C Yi^^* : '«»^V^^ s m 
prioritized according to its number.. The -higft^t i^bnty. ^as^gs^:oo/(be 
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, .- I 



Machine-check and the lowest priority is-w^ed ^>t^.^ti«fttn^,ps«>»itlo 

• . . .... .. : j 

exception. "• • : .-...! : 

The pending VEX field - of : * ^ond^:^rt^'bKi>^5| t^tlift^-ls^ < ; | 
5 the primary kernel which provides a driver; far the '^j#]W„d^w^:S^ ; aji';.:' 
driverusually posts virtual exceptions (i4bi^|!ts)' Vrt.-fi^ofefiaty ferrets 'by \ ! 
setting appropriate bits in the pending V£X;fpeld. ! . . ; " i ; 

The enabled VEX field is update^;by lite seco4|«4^N^^ «* ; tfnttc3* ttv ■ ! 

10 enable or disable virtual exceptions. A gisfeti . virtual '^p^iw^"*^lW if i 
the corresponding bit is set inthe enabied)V&C ^i&s^ \ 
field, a secondary kernel iniplemeats'* : sBtitcal fted&roto %-^nx>ltt&texU "aj£aEph«t a = j 
interrupts. In other words, a secondary keraefcnfr itt&ife*tsca ths MS^£EBj ^tid: ; 
MSR[ME] bits to disable/enable processor- iijflett^^ *< 

15 enabledVEX field of its kernel context. . : ' . : i 

A given virtual exception is- delivered .byhiite r 'Aanol9»rtutt- -if" ffc ri» u 
pending andenabled simultaneously.. T^e-n^ '. 
pending bit just before jumping to the seQojtid$ryie^^ . : 



Note that, when porting: a se^fcd^ the : 'Jpnw.epPC : ■ 

nanokernel architecture, low-level ^ceptmn;h^idtte^ have- to bp modified ift 
order to take into account the* software Wtcn^iptiH^ ; 
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substitutes the hardware one; Ifter' hardware iri^ 

processor level when running . a. /secondly kernel; ;V ^cppt iiy io^jevcjth 
exception handler code, where processor ste^e ^ed:^Whg.s'bi^&;l i ; es6^rqes!' ; 
(scratch registers) requiring a critical section;. In spc&a.jkva^in the tldii^^rn^il 
5 environment, a secondary operating .systempbeca^ 

the primary operating system* "! . 

■ V. * r • I.;., 

A virtual exception can be- p6sted;T>y th^ pfiijmiry lierrt^Jt wftife: t i - 

disabled state. It this case, the exception is not-, deli jpteicE io ibe' <tec$t>^<3^^y!' : r 
10 kernel but it is rather kept pending until ^iecexc^pdon % n^^al?i^; agiriri. ; 

when virtual exceptions are re-en^le4 by ^ a checfc shx^id.; 

be made whether any virtual exceptions Wp^Og^Sf ^.e check & pcr^twe; 

the secondary kernel should invoke the naiaofeefnel i^ofder tq proc^isudtf \ 

pending virtual exceptions. Such ciurck . 
15 pending virtual exception" trap (nanokfernel speerfif v4tw:6x2S00)^ 



In general, a secondary kernel fi^dnabjfc^ irj ' k^o 

following cases:. ' •** 

£* when : virttiai; ei^tm^B'.i^ ' been- • ^rivibiiafe 
. disabled by the seeoni|ary?ifce^ 
cnticalseeUomof cotfe;; • V./:- . : VV : . m 
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^ wh&i virtual ^xceptlbnjs- has faefett - di8&blfe4 
while \ processing a :$t^jmf. : cx$6puahl * lGw-lfe s *4 ; 
handler, * : : .. 5 : 



,fr J i • r V 



1 !' 
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Nanokernel Re-Entrance 

The nanokernel code Is mdstty executed ^#&h irit^^te :dfeaBled^ 
processor level preventing re-entfance into tfee naftabiwf^l. G^jthe >tftber ' jhiiwcl; • 
5 some nanokernel invocations may Itake a. long 1 piffle ari# thfcxj^Fditj ; 
nanokernel has to enable interrupts when eKectrtid^: iirich lcfl?g ope^iTOk^n 
order to keep the primary interrupt latency iaivfc ; . . f ' : . . . . ; : : 

There are two kinds of ionglnanokern^/opey^iu^isf " ' 
10 jet syricbWous -c^'^ble^^gui , r .|- 1 ; 

The .opecation dm^tibirc ifepends -oo. tfee. serial iu# : . ; 
speed- For example, on A $6#&bmd tine; a stogjk 
character output may tafcfeup to ^ r j ? mill isecond 

*s- secondary keifn^J:»sU\rt. • ' ; 
15 The operation dtira^tt*^%)«iS% oft -tKe* 5 kmi^i 

image size whttto^^ 

. ■ . • -v ; ; ,•; ■ '.' 

For all operations . .listed* -kbavejiOIhe nanakesruel s 

■..*•*.'. *■ ■ 

enables iritert^bs an*i iS^jtitifo: . re-eh#»ne# • fr«m> r^* 
20 primary kernel; ittei the. islher * tmnd« . %v%ijji interrupts ase 

enabled, the naaokernel scliiedBtei- '■■ lie ver siilied iw order i'o 
prevent another • s^oidaiy &ernsE|ia be fechedide<| Wh$n 
returning frbm ihe. primary inmj;iiu|ff iteruW. In othet* word*. 
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the nanokemel canW pt^ptpd^ the ' 
(as result of an interrupt) 'puneWnuanee : ^bhi'^s?^nds^3f. : 
kernel is prohibited. Such a.^ctioti- ^©y&4*w»natoke«^ . • 
to use global resources for /die s^on&ry 1 *Xteu%v-v ' 
environment.. \ 

The discussion -above: $nows\ 
must be capable .to. enabte;- jpix^s^^ white ? •' 

executing code in the nanok^riel memo^ 
.from a.trap called by the priory w'4.jfi^^^ :| ^ e !: : J? ; : i 
other words, the nanokemel ijiust support a .sMicN. to : die J 
primary interrupt handler while ruuntngi .its oaten : /iriap coll 
handler. ; ... : : •; ,\ : 

■ !.,.=•••:■ .; • '. • : • 

In order to support sucft-i a context swifcfc'uestsn|: 4;he ; 
nanokemel manages a kernel': context-, for.-. itself. .Tlifc- 
nanokemel kernel cohtejrt Wa'-iwSi-: 1^6% vajhie (fh \ 
field). It is used to save: tbe-tfatob^hscl pc^Od^coiitextKln - : 
hidden part) when twitching: I to d»: -p^osocs: /tefcnel . on-*, 
interrupt. It is. alk>* used': to \ : \<im nanoiaime] -specific 
interrupt handler pointers (in faUM jb-'tftfcf way,:- 

interrupts can beivectorcd through ihtf^-'urifentliy-" execnuitg 
kernel context .even:; when the ! : naupkernel code is running- 



AdditibnaUy^theinanoker^ n$6& to> :; 

push critical sh^^ weft as &\paki - 

the nanokemfet and * priraaiy r kefti^i.v^dntf^^ .that w^ulSf.. • ": 



< . 



otherwise be overwritten- city pra^jry k&tfet ^ttfirahce; f • . 
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The nanokeniel ^^e^ iri^^en^pt l^&5^U<^|pW-; 1 

• X. v . *';.' t s'%:'' * : %' iO •* " 5 ^ 

of routines to handle ait i^tei$i|pt: .-'bvi^ie "bartBAeTOaSI. ai&|. to ; 

return to nahoketael iQt^b^lp^^k C^ffe:*- at : 1*16 • etoid- c4*ti£: * 

interrupt processing; by tbe jpi#ni^4:^ ; fhat .tft£ : 

prolog/epilog pair of rou^>es;/ts:4tff^« 4^^it^ : ti^ tpr ! 

last kernel that has. .been baling :^i^t>toBr^;iir^ Ih^eeii. : 

the kind and amount of i|tfor^aiio^tx> bi> ipbjbcja ©4 

stack is not the same for tbb.$d<saa2ry or £seeoi^axyi uragK- 



caller. . 



The interrupt pitolog^rc^^^ 
interrupt handler. It is «tfadM&:t0-4l$:f^^ ifcfc , 

faflstf exception .handl^ ca^le jin .the ^teftejmel kfemtfJ / 
context This hahdleriperf^ . i 

^ save', jsart " ^af " jfher ;]k^fct cttitejMte : ihtp ■ Ah ' 
. interrupt feathb on: tfi^jit^y : • * ; 

handle pnmaiyki^ . ... * 
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..**... ' • .' • ■ '• • . . ' 

modify srrO r#giftep v i y tUgc t&. .referp to • the . ; ; 

appropriate epilog rputxnfcv -::..;« 

• jss switch ta the-. co^apbijcBTig> prijr^iy. fc^ftJ . • j • 

.interrupt handier, ■" : ; , i ( \i • ; ; ; / ; ;* ; 



the i^ttwn^frejpH^ /•> 
from the primary kernel jnterimj*^ (irfj ^ It .tfs$c£ /. [ ■ 

to directly restore the naftbt&rheV -ittieT^ipt^dS. fe^ciitfenl i.c; 
context without calling the Lfli^o^emel 'sci*eifi^;- afiH : ^*s : i 

10 .J^ugh_toefoUo^^ : 

i$ restore- cu^ - . 

ifif restore kernel'.c6dieH^ from: 'diej&tc^ 
frame (aaVed by. the. prdtog.^tiuJie), : . - L 

retumto-t^ : :- •;. ■• , 



The nanoken^l mtt^tipt ^gtclc fran|te is to fyi^ • 



the following i^priAatfori: 1 ' .' ;j • :i I . 

* • L .! 



>er copy of dritieial ••{jarijjcff tfte tfimaJ&mafi kersrei s 
context: lr, rl » r2, sriCt, 3 srr.i ^gii^fers* : .' % : . «. . ' (: : ' : 

20 V the Oast : tnag ca)^rr ; |poiiiter j to ; a * primary oji* ; ; . 

second^ kernei poriteoet). ' • • .*; 



• .78: \ , ■ \ 

& drdy if last trap caller is typ pximwy*: ' c&py.W : ' 
critical part c& the "!^rijp^^^i^r"i»istex^ $tyi!£**f& t \il 
srrl registers; • . " ■ \ . : v. = ■ . . • ; y. i * . . : 

5 The nanokbrael* fleg^ > ^kir of fqn^bii' wM^h ^e t 

used to ettablfe/4isab!e .^ih^Bw'pts. "TH^\-/^btfdtoa :: ^ 
respectively save ; and res tare tit Ijfe -kifipfc . m c^ki&dk ; p>rt-" ; * 
of the, nanokemel '. exec&tieri vctoptexV ;wfiteh::: is ;jfcbt -i 
systematically saved at tar^ieniry,::- 
10 . When- .enabling.- hitemip^-Vthe "'ti^^«w>l;. g^^'-l 

through the following steps*; ; • : ;; 

save seiratch- re^i^rifti the &*aefe<^rg^3)4 ■:■ . ■; 
j» save curr^m pafc 
roudnes iti the stack; . • \ j ' s •.'.*' 

15 & iipd&tfc current : p$fe #f -^]fek^.i]^^^^g • 

routines according to trap ^gi&ii ^({qfo'&ty icrf si^tin4fe>i : . 

& enable imerrtiptS ' iajw pracb^s: ! leivsl . (set : j. 
MSR[EE];bitv ' \ •: 



20 When disabling . ibte^pt, i : ;tlie inMolUmeJ -gjbe^ : 

through thfefoBp^Sg^p^vV- ^ .;\ • ' > 

. MSRCBEJlbit);^ .? ; " !" ■ 
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